1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
155.
Products infringing: Any product using
Microsoft Product Activation or Reader
Activation feature. ■■' .
A virtual distribution environment comprising
(a) a first host processing environment
comprising
CI) a central processing unit; ._
(2) main memory operatively connected
to said central processing unit;
computer running a Microsoft product
containing the Product Activation feature,
including Windows XP, Office XP, Visio
2002. Reader using its activation feature.
CPU of computer
main memory of computer
(3) mass storage operatively connected
to said central processing unit and said
main memory:
hard disk or other mass storage contained in
computer
(b) said mass storage storing tamper resistant
software designed to be loaded into said main
memory and executed by said central
processing unit, said tamper resistant software
comprising:
Microsoft Product Activation software
(1) machine check programming which
derives information from one or more
aspects of said host processing
environment.
CI1VU U1U11C1H,
(2) one or more storage locations
storing said information:
(3) integrity programming which
Product Activation software generates
hardware information relating to the host
processing environment as part of the
activation process
hardware information is stored in the
computer's storage
(i) causes said machine check
programming to derive said
information,
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(ii) compares said information
to information previously stored
in said one or more storage
locations, and
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(iii) generates an indication
based on the result of said
comparison: and
Product Activation software indicates whether
the test has passed or failed
(4) programming which takes one or
more actions based on the state of said
indication:
iJlHI,
(i) said one or more actions
including at least temporarily
halting further processing.
Product Activation software will allow system
startup procedures to continue, if test succeeds,
or discontinue startup and offer user
opportunity to reactivate if the test fails
Exhibit B \\
1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
n
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
156.
A virtual distribution environment comprising
(a) a first host processing environment
comprising
Product Infringing: Any product using
Microsoft Product Activation or Reader
Activation feature.
( 1) a central processing unit;
(2) main memory operatively connected
to said central processing unit;
computer running a Microsoft product
containing the Product Activation feature,
including Windows XP, Office XP, Visio 2002
and Reader
CPU of computer
main memory of computer
(3) mass storage operatively connected
to said central processing unit and said
main memory;
hard disk or oilier mass storage contained in
computer
(b) said mass storage storing tamper resistant
software designed to be loaded into said
main memory and executed by said central
processing unit, said tamper resistant
software comprising:
Microsoft Product Activation software
(1) machine check programming which
derives information from one or more
aspects of said host processing
environment "
Product Activation software generates
hardware information relating to the host
processing environment as part of the
activation process
(2) one or more storage locations
storing said information:
hardware information is stored in the
computer's storage
(3) integrity programming which
(i) causes said machine check
programming to derive said
information,
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(ii) compares said information
to information previously stored
in said one or more storage
locations, and
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(iii) generates an indication
based on the result of said
comparison: and ^_
Product Activation software indicates whether
the test has passed or failed
(4) programming which takes one or
more actions based on the state of said
indication:
(i) said one or more actions
including at least temporarily
disabling certain functions.
Product Activation may disable the underlying
software from generating new files or running
user applications if the test fails
: t
i|
Exhibit B!l
2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1NTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
157.
A virtual distribution environment comprising
Product Infringing: Any product using
Microsoft Product Activation or Reader
Activation feature.
(a) a first host processing environment
comprising
computer running a Microsoft product
containing the Product Activation feature,
including Windows XP, Office XP, Visiq 2002
and Reader
(1) a central processing unit:
(2) main memory operatively connected
to said central processing unit:
CPU of computer
main memory of computer
(3) mass storage operatively connected
to said central processing unit and said
main memory:
hard disk or other mass storage contained in
computer
(b) said mass storage storing tamper resistant
software designed to be loaded into said
main memory and executed by said central
processing unit, said tamper resistant
software comprising:
Microsoft Product Activation software
(1) machine check programming which
derives information from one or more
aspects of said host processing
environment
Product Activation software generates hash
information relating to the host processing
environment as part of the activation process
(2) one or more storage locations
storing said information:
hardware information is stored in the
computer's storage .
(3) integrity programming which .
(i) causes said machine check
programming to derive said
information,
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(ii) compares said information
to information previously stored
in said one or more storage
locations, and
each time the Microsoft program starts up after
initial activation, Product Activation checks
the originally derived hardware information
against current hardware
(iii) generates an indication
based on the result of said
comparison: and
Product Activation software indicates whether
the test has passed or failed
(4) programming which takes one or
more actions based on the state of said
indication:
(i) said one or more actions
including displaying a message
to the user.
Product Activation software displays a
message to the user if the test fails
Exhibit B
3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v, MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
156.
Products infringing: Windows Media Player
A virtual distribution environment comprising
a first host processing environment comprising
WMP with Individualized DRM client
(referred to hereafter as the Individualized
WMP) running on a client computer
a central processing unit
Client CPU
main memory operatively connected to said
centra l processing unit
Client memory
mass storage operatively connected to said
central processing unit and said main memory
Local disk drive
said mass storage storing tamper resistant
software designed to be loaded into said main
memory and executed by said central
processing unit, said tamper resistant software
comprising:
Individualized WMP (I-WMP) stored on disk
and loaded into main memory upon execution.
I-WMP is tamper resistant.
machine check programming which derives
information from one or more aspects of said
host processing environment,
Individualization module is generated by the
MS individualization service either when the
un-individualized WMP tries to open licensed
content that requires a security upgrade (aka,
Individualization) or when the user requests an
upgrade un-provoked. The individualization
module is unique and signed and is bound to a
unique hardware ID using the MS machine
activation process.
one or more storage locations storing said
information
The aforementioned unique feature are located
in multiple places or storage locations
integrity programming which
causes said machine check programming to
derive said information,
The ID is regenerated by WMP/DRM client
when first loading the Individualized DRM
Client to access a piece of content requiring the
security upgrade
compares said information to information
previously stored in said one or more storage
locations, and
The program checks the new copy against the
one to which the individualized DRM client is
bound.
generates an indication based on the result of
said comparison: and
Program stores the result of this check. .
programming which takes one or more actions
based on the state of said indication
If these are not equal, the user is notified via a
message stating that he/she must acquire a
security upgrade (that is, the current security
upgrade is invalid). If they are equal then
processing of songs requiring Individualization
continues.
said one or more actions including at least
temporarily disabling cenain functions.
Songs targeted to this Individualization module
cannot be accessed until the upgrade is correct.
Exhibit li|
c 4 !
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
_24.
25
26
27
28
INTERTWIST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
157. A virtual distribution environment
comprising
Infringing products include: Windows Media
Player ' ;
a first host processing environment comprising
a central processing unit
See 156
main memory operatively connected to said
central processing unit
See 156
See 156
mass storage operatively connected to said
central processing unit and said main memory
See 156
said mass storage storing tamper resistant
software designed to be loaded into said main
memory and executed by said central
processing unit, said tamper resistant software
comprising:
See 156
machine check programming which derives
information from one or more aspects of said
host processing environment.
See 156
one or more storage locations storing said
information
See 156
integrity programming which causes said
machine check programming to derive said
information compares said information to
information previously stored in said one or
more storage locations, and
See 156
generates an indication based on the result of
said comparison: and
See 156
programming which takes one or more actions
based on the state of said indication
See 156
said one or more actions including displaying a
message to the user.
If these are not equal, the user is notified via a
message stating that he/she must acquire a
security upgrade (that is, the current security
upgrade is invalid).
Exhibit B
... 5 ..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,892,900
157.
Infringing Product: Microsoft's Windows File
Protection and System File Checker features,
embodied in Microsoft's Windows 2000,
Windows XP products, and Server 2003
A virtual distribution environment comprising
(a) a first host processing environment
comprising
computer running Microsoft Windows 2000 or
Windows XP.
(1) a central processing unit;
(2) main memory operatively connected
to said central processing unit:
CPU of computer
main memory of computer
(3) mass storage operatively connected
to said central processing unit and said
main memory:
hard disk or other mass storage contained in
computer
(b) said mass storage storing tamper resistant
software designed to be loaded into said
main memory and executed by said central
processing unit, said tamper resistant
software comprising:
Windows File Protection process/service
("WFP") and System File Checker (SFC.exe)
features of winlogon.exe. Winlogon.exe is
treated as a "critical" service by the Windows
operating system. Files supporting WFP
(including winlogon.exe, sfc.exe, sfc.dll (2000
only), sfcfiles.dll (2000 only) and sfc_os.dll
(XP only)) are "protected" files and are signed
using a signature verified by a hidden key. In
Windows 2000, WFP uses hidden functions
within the sfc.dll library. Functions are
imported by "ordinal" instead of "name.' r
(1) machine check programming which
derives information from one or more
aspects of said host processing
environment,
Winlogon either directly or using another dll
(XP) or using SFC.dll (2000) determines if
changed file was protected, computes the hash
of protected files and, if necessary, computes
the hash of the file in the dll cache before using
it to replace a file overwritten by an incorrect
version of the file. "
(2) one or more storage locations
storing said information:
hardware information is stored in the
computer's memory
(3) integrity programming which
(i) causes said machine check
programming to derive said
information,
Windows notifies Winlogon when there has
been a system directory change or a change in
the dll cache.
(ii) compares said information
to information previously stored
in said one oi more storage
locations, and
Winlogon either directly or using another dll
(XP) or using SFC.dll (2000) compares
computed hash with hash in the hash database
created from the Catalog file(s), and, if there is
a difference, compares the- hash of the file in
the dll cache to the hash database created from
. !!
Exhibit B !!•
6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
.15
16
17
18
19
20
21
22
23
24
25
26
27
28
the Catalog flle(s) before using it to replace an
overwritten file.
(iii) generates an indication
based on the result of said
comparison: and
An event is written to the Event Viewer if
hashes do not agree.
(4) programming which takes one or
more actions based on the state of said
indication;
Depending on the circumstances, WFP
displays several messages to the user,
including prompting the user to contact the
system administrator, and to insert a CD-ROM.
(i) said one or more actions
including displaying a message
to the user.
See above. Messages also constitute viewable
Event Property pop-ups.
Exhibit B
7 : i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,917,912
6.
Product Infringing: XBox
A process comprising the following steps:
The process constitutes assembly and use
of components making up an XBox game.
accessing a first record containing
information directly or indirectly
identifying one or more elements of a first
component assembly,
The first record consists of the second file
table on an XBox DVD, This table '
identifies the .xbe file which includes the
game information.
at least one of said elements including at
least some executable programming,
The xbe file includes executable
programming.
at least one of said elements constituting a
load module,
The xbe file is a load module.
said load module including executable
programming and a header:
The xbe file includes a header.
at least a portion of said header is a public
portion which is characterized by a
relatively lower level of security
protection: and
Most information the xbe header is not
obfuscated.
at least a portion of said header is a private
portion which is characterized, at least
some of the time, by a level of security
protection which is relatively higher than
said relatively lower level of security
protection.
The entry point address and the kernel
image thunk address listed in the xbe
header are obfuscated and therefore at a
higher level of security protection.
using said information to identify and
locate said one or more elements; .
The second file table identifies the .xbe
file, including where that file is located.
accessing said located one or more
elements:
The .xbe file is accessed by the XBox.
securely assembling said one or more
elements to form at least a portion of said
first component assembly;
At runtime, the .xbe file is assembled with
certain services of the operating system to
form a component assembly. Security
associated with this assembling process
includes verifying signatures associated
with portions of the .xbe file, and replacing
obfuscated calls to operating system
services with actual addresses.
The assembly may also include patch files
downloaded from a remote server.
Game play requires execution of the
executing at least some of said executable
Exhibit Bi!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
programming: and
assembled programming.
checking said record for validity prior to
performing said executing step.
The second file table is protected by a
digital signature, and is not loaded/used
unless the digital signature is verified
against the file.
7. A process as in claim 6 in which:
said relatively lower level of security
protection comprises storing said public
header portion in an unencrypted state; and
The header is protected by the techniques
protecting the xbe such as signing and
security descriptors, but it is not encrypted
except as noted below.
said relatively higher level of security
protection comprises storing said private
header portion in an encrypted state.
The entry point address and the kernel
image thunk address listed in the xbe
header are obfuscated. The Xbox SDK's
(XDK) image build uses a key value shared
with the retail XBox to perform two XOR
operations against the addresses
Exhibit £i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRDST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,917,912
i.
Infringing products: Microsoft CLR or CCLR
and .NET Framework SDK and products that
include one or both of these.
\ process comprising the following steps:
a) accessing a first record containing
nformation directly or indirectly identifying
>ne or more elements of a first component
issembly,
The first record is either an assembly manifest,
or a whole assembly; the elements are other
assemblies that are referenced as external in
the first record; the first component assembly
\i a .NET application domain.
(1) at least one of said elements
including at least some executable
programming,
Assembly contains executable programming.
(2) at least one of said elements
constituting a load module.
This is an external assembly referenced in the
first record.
(i) said load module including
executable programming and a
header;
Assemblies include executable programming,
and the assembly manifest and CLS type
metadata constitute a header.
(ii) said header including an
execution space identifier
identifying at least one aspect of
an execution space required for
use and/or execution of the load
module associated with said
header:
This feature is provided for in the .NET
architecture through numerous mechanisms,
for example, by demands for ZonelD
permissions.
(iii) said execution space
identifier provides the capability
for distinguishing between
execution spaces providing a
higher level of security and
execution spaces providing a
lower level of security:
SecurityZorie or other evidence provides this
capability.
b) using said information to identify and
ocate said one or more elements;
Manifest and type metadata information
section is used to identify and locate files, code
elements, resource elements, individual classes
and methods.
c) accessing said located one or more
lements;
Step carried out by the CLR or CCLR loader.
d) securely assembling said one or more
lements to form at least a portion of said first
omponent assembly;
CLR or CCLR carries out this step, including
checking the integrity of the load module,
checking the load module's permissions,
placing the load module contents into an
application domain, isolating it from malicious
or badly behaved code, and from code that
does not have the permission to call it.
e) executing at least some of said executable
irogramming: and
Step carried but by the CLR/CCLR and the
CLR/CCLRhost. ■
Exhibit fi|
in
1
2
3
4
5
6
7
8
9
1 A
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(f) checking said record for validity prior to
performing said executing step.
The CLR/CCLR checks the authenticity and
the integrity of the first .NET assembly.
9. A process as in claim 8 in which said
execution space providing a higher level of
security comprises a secure processing
environment. •
The CLR/CCLR constitutes a secure
processing environment.
13. A process as iii claim 8 further comprising:
(a) comparing said execution space identifier
against information identifying the execution
space in which said executing step is to occur;
and
In one example, the
ZoneldentityPermissionAttribute SecurityZone
value demanded by control in the assembly
manifest is compared against the SecurityZone
attribute value corresponding to the calling
method ;
(b) taking an action if said execution space
identifier requires an execution space with a
security level higher than that of the execution
space in which said executing step is to occur.
CLR/CCLR will throw an exception and*
transfer control to an exception handler in the
calling routine, or it will shut down the
application if there is no such exception
handler, if the permissions do not include the
permissions required by the
ZoneldentityPermissionAttribute. The
ZoneldentityPermissions are hierarchical,
unless customized.
14. A process as in claim 13 in which said
action includes terminating said process prior
to said executing step.
CLR/CCLR may terminate the process or
transfer control to an exception handler that
may itself terminate the process.
Exhibit B
11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1NTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,917,912
J.
Products infringing include Windows Installer
SDK, and products that include the Windows
Installer technology.
A process comprising the following steps:
Scenario 1: use of Windows Installer packages
(i.e. ,MSI files) to create Windows Installer-
enabled applications, such as Office 2000 and
used of the WI service to install them.
Scenario 2: software distribution technologies
that use the Windows Installer OS service for
installation, such as Internet Component
Download and products like Office Web
Components.
Either scenario can be used by SMS,
IntelliMirror and third party tools like
InstallShield and WISE.
NT or later operating systems (because they
use the subsystem identifier)
using cabinet files, .CAB, (because they have a
manifest and INF and/or OSD files), and
have been signed with a digital signature and
will be authenticated by Authenticode or
WinVerifyTrust API and
contain at least one PE (portable executables)
a) accessing a first record containing
nformation directly or indirectly identifying
)ne or more elements of a first component
issembly,
Scenario 1 : First record is the .MSI file that
contains information on what goes in the
assembly and how to install the assembly.
Scenario 2:
A. First record is the cabinet manifest
(indirect instructions)
B. Or, First record can be INF and/or OSD
files (direct instructions)
(1) at least one of said elements
including at least some executable
programming,
Both scenarios: The PE (portable executable)
in the cabinet file is the executable
programming.
(2) at leasi one of said elements
constituting a load module.
Both scenarios: PE is a load module:
(i) said load module including
ex ecutabl e programming and a
Both scenarios: The PE has several headers.
Exhibit B H
1
2
3
. 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
header;
(ii) said header including an
execution space identifier
identifying at least one aspect of
an execution space required for
use and/or execution of the load
module associated with said
header; '
Both scenarios: SUBSYTEM is a field in the
PE Optional Header that is an execution space
(iii) said execution space
identifier provides the capability
for distinguishing between
execution spaces providing a 1
higher level of security and
execution spaces providing a
lower level of security;
Both scenarios: SUBSYSTEM distinguishes
between programs that can run in kernel mode
and those that can run in user m6de.: This is a
key security concept of process separation that
was introduced with Windows NT.
The Subsystem field in the PE header is used
by the system to indicate whether the
executable will run within Ring 3 (user mode)'
or use Ring 0 (native or kernel mode).
Anything running in Ring 3 is limited to its
own processing space. Executables running in
Ring 0 can reach out to other spaces and have
security measure built around them.
b) using said information to identify and
ocate said one or more elements:
Scenario 1 : the MSI file identifies and locates
the elements
Scenario 2:
.CAB manifest is used to identify Physical
location
OSD and/or INF is used to identify Logical
location
c) accessing said located one or more
Jements;
Scenario 1 : Using the MSI file
Scenario 2: Using INF and/or OSD in cabinet
file
d) securely assembling said one or more
lements to form at least a portion of said first
omponent assembly;
Both scenarios: Using the Window Installer
OS service with various properties and flags on
the settings for higher protection.
Windows Installer has numerous flags that the
developer can set to indicate how the assembly
will be installed, in what privilege level, with
how much user interface, and how much ability
the user has to watch or change what is
occurrinp. These controls have been
strengthened with each release of Windows
Installer. Windows Installer 1.1 and later has
the ability to limit the users capabilities during
the installation. In a Windows 2000
ii
ir
Exhibit Bli
'n
1
2
3
A
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
environment and later, using the Group Policy-
based Change and Configuration Management,
the administrator has the most control
Fields that can be set by the developer or
administrator to control what users can do
include the following:
Transformssecure can be set to a value of 1 .
to inform the installer that transforms are to be
cached locally on the user's computer in a
location the user does not have write access.
(Transforms create custom installations from a
basic generic installation, for example to make
the Finance versions different from the
Marketing version or English versions different
from Japanese versions.)
AllowLockdownBrowse and DisableBrowse
can prevent users from browsing to the
sources.
SourceList can be used to specify the only
allowable source to be used for the installation
of a given component.
Environment can be used to specify whether
the installation can be done while the user is
logged on or only when no user is logged on.
Security Summary Property conveys whether
a package can be opened as read-only or with
no restriction.
Privileged Property is used by developers of
installer packages to make the installation
conditional upon system policy, the user being
an administrator, or assignment by an
administrator.
Restricted Public Properties can be set as
variables for an installation. "For managed
installations, the package author may need to
limit which public properties are passed to the
server side and can be changed by a user that is
not a system administrator. Some are
commonly necessary to maintain a secure
environment when the installation requires the
installer use elevated privileges. "
SecureCustomProperties can be created by the
author of an installation package to add
controls beyond the default list
MsiSetlnternalUJ specifies the level of user
interface from hone to full.
A Sequence Table can be used to specify the
required order of execution for the installation
process. There are three modes, one of which is
the Administrative Installation that is used by
the nenvorlc administrator to assign and install
applications.
InstallServicesAction registers a service for
ihe svstem and it can onlv be used if the user is
Exhibit B:
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
an administrator or has elevated privileges with
permission to install services or that the
application is part of a managed installation.
DisableMedia system policy disables media
sources and disables browsing to media
sources. It can be used with DisableBrowse to
secure installations version 1.1 that doesn't
have some of the other capabilities. *
AlwaysInstdllElevated can be set per user or
per machine and is used to install managed
applications with elevated privileges.
AllowLockdownBrowse,
AllowLockdownMedia and
AlIowLockdowhPatch set these capabilities so
they can only be performed by an administrator
during an. elevated installation. .
[See article "HowTo: Configure Windows
Installer for Maximum Security (Q247528). •
Windows XP Professional and .NET have the
additional capability to set Software Restriction
Policies and have these used by Windows
Installer.
In addition, most of the software distribution
technologies that use Windows Installer also
add a layer of their own controls. For example,
SMS 2.0 enables the administrators to control
the installation is optional or required and
whether the user can affect the installation
contents/features at all.
(e) executing at least some of said executable
programming; and
Both scenarios: Part of executable is called
during installation in order to do self-
registration or perform custom actions. The
overall executable is used at runtime.
(f) checking said record for validity prior to
performing said executing step.
Scenario 1 : Sign the overall package and the
cabinet files.
Scenario 2: The cabinet file is signed.
For IE with the default security level or higher,
the digital signature is verified by
Authenticode or a similar utility before the
component is allowed to be assembled.
Exhibit B
- 15 ;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
•
•
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,917,912
35.
Products infringing include all products that
host the Microsoft .NET Common Language
Runtime or Compact Common Language
Runtime.
f\ proccbb curupribin^ inc juijuwiii^ Mcpb.
(a) at a first processing environment receiving
a first record from a second processing
environmem remote irom saio iirsi processing
environment:
Computer running the Microsoft CLR/CCLR
receives, for example, a shared assembly
another computer, for example a server.
(1) said first record being received in a
secure container;
The shared assembly is cryptographically
nasneu <mu signcu.
(2) said first record containing
identification information directly or
indirectly identifying one or more
elements of a first component
assemblv:
The first record is either an assembly manifesi,
or a wnoie assemuiy, inc eicmenis arc oiner
assemblies that are referenced as external in
xne htm icluiu, ujc him L/Uijijjuiicju aoo^iiiviy
is a .NET application domain.
(i) at least one of said elements
including at least some
executaoje programmins.
Assembly contains executable programming.
(ii) said component assembly
allowing access to or use of
specified information;
The specified information can include any kind
of data file, stream, log, environment variables,
etc.
(3) said secure container also including
a first of said elements;
The shared assembly includes at least some
executable propramminc.
(b) accessing said first record
CLR/CCLR accesses the assembly or
as>semDJY ncducr.
(c) using said identification information to
luenuiy anu jocaie saiu one or more ejemcriib,
Manifest and type metadata information
cpfMiriYi ic ncpH tn iH'pntift/ 5inn loffltf* Tilf*<! rnnP
oCClJUil 12> UoCU l\J JVJwJlllJ.Y cLIJU lU^alv tuuw
elements, resource elements, individual classes
and methods.
(1) said locating step including locating
d oCv/UIJU Ul oaJU CJCliJCiilo dl <X IJ1JJU
processing environment located
remotely from said first processing
environment and said second
processing environment;
Met by a multifile assembly, with files
distributed aem^ a network or bv the second
element constituting another referenced
assembly located elsewhere; the CLR/CCLR
uses probing to locate and access the file.
nrrp^sino said lncalpd one or more
elements;
Step carried out by the CLR/CCLR loader.
(1) said element accessing step
including retrieving said second
element from said third processing
environment:
Step carried out by the CLR/CCLR loader.
(e) securely assembling said one or more
elements to form at least a portion of said first
component assembly specified by said first
record; and
CLR/CCLR carries out this step, including
checkinp the integrity of the load module,
checking the load module's permissions,
placing the load module contents into an
application domain, isolating it from malicious
or badlv behaved code, and from code that
i
Exhibit B ]
1 A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
does not have the permission to call it.
(f) executing at least some of said executable Step carried out by the CLR/CCLR.
programming.
(1) said executing step taking place at CLR/CCLR is operating in the first processing
said first processing environment. environment specified above.
, ' ;!
■ ii
Exhibit Bi!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR US. PATENT NO. 5,920,861
34.
Product Infringing: Microsoft Operating
Systems that support device driver
signature technology
A descriptive data structure embodied on a
computer-readable medium or other logic
device including the following elements:
a representation of the format of data
contained in a first rights management data
structure
The driver package's INF is a data
structure. The INF contains multiple types
of sections, structured as hierarchy
/"branches," that the Windows operating
system or its Plug and Play and/or Set-up
installation services "branch" through
based on the operating system information
and device for which a driver is to be
installed. The installation services use the
"branching" structure (format) to determine
what files should be installed. The INF,
further provides disk location information
and file directory path information for the
files identified as necessary as a result of
the "branching" process.
The driver package is a "rights
management" data structure based on the
fact that it is governed and based on the
fact that it processes governed information.
Rights Management as Governed Item
A driver manufacturer can include rules
governing the driver's installation ancl/or
use in the driver's INF file. For example:
Security entries specify an access control
list for the driver.
Driver developers can specify rules that
determine behavior of the driver package
based on. the user's operating system
version, including product type and suite
and "ffie'devi'ce 'fb"f which the driver is to be
installed
Rules specifying logging
Local administrators can establish policy as
in what action or notification should occur
in the event that a driver being installed is
not signed.
Exhibit B ij
18 :
1
2
3
4
5
6
7
8.
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Hie operating system installation services
have a ranking criteria it follows when
multiple drivers are available for a newly
detected device. The criterion is used to
determine the driver best suited for
ensuring compatibility with the operating
system and ensuring functionality of the
device.
Drivers have been certified to be
compatible with specified operating system
versions for their respective device classes.
The catalog file protects the integrity of the
driver.
Microsoft distributes the Driver Protection
List to prevent known bad deriver from
being installed.
Processing Rights Managed Items
Certain drivers (SAP) have been explicitly
certified to protect DRM content.
MSDN - DRM Overview
A DRM-compliant driver must prevent
unauthorized copying while digital content
is being played. In addition, the driver must
disable all digital outputs that can transmit
the content over a standard interface (such
as S/PDIF) through which the decrypted
content can be captured.
said representation including:
element information contained within
said first rights management data
structure; and
The elements of a driver package include:
A driver that is typically a dynamic-link
library with the .sys filename extension.
An INF file containing information that the
system Setup components use to install
support for the device.
A driver catalog file containing the digital
signature.
One or more optional co-installers which
are a Win32® DLL that assists in device
installation NT-based operating systems.
Other files, such as a device installation
application, a device icon, and so forth.
XP DDK - INF Version Section
The LayoutFile entry specifies one or more
additional system-supplied INF files that
contain layout information on the source
media required for installing the software
293482.02
Exhibit B
19
1
2
3
4
5
6
7
. 8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
described in this INF. All system-supplied
INF files specify this entry.
The CatalogFile entry specifies a catalog
(.cat) file to be included on the distribution
media of a device/driver,
organization information regarding
the organization of said elements
within said first rights management
data structure: and
Within an INF is a hierarchy with the top
being a list of manufacturers, and sub-lists "
of models and at the bottom a list of install
information by model.
For Windows XP and later versions of NT-
based operating systems, entries in the
Manufacturer section can be decorated to
specify operating system versions. The
specified versions indicate OS versions
with which the specified INF Models
sections will be used. If no versions are
specified, Setup uses the specified Models
section for all versions of all operating
systems.
INF's SourceDisksNames and
SourceDisksFiles sections specify
organization information.
XP DDK ~ Source Media for INFs
The methods you should use to specify
source media for device files depend on
whether your INFs ship separately from the
operating system or are included with the
operating system.
INFs for drivers that are delivered
separately from the operating system
specify where the files are located using
SourceDisksNames and SourceDisksFiles
sections.
If the files to support the device are
included with the operating system, the
INF must specify a LayoutFile entry in the
Version section of the file. Such an entry
specifies where the files reside on the
operating system media. An INF that
specifies a LayoutFile entry must not
include SourceDisksNames and
SourceDisksFiles sections.
XP DDK - INF SourceDisksNames
Section
A SourceDisksNames section identifies
the distribution disks or CD-ROM discs
that contain the source files to be
transferred to the target machine during
installation. Relevant values of an entry in
the INF include:
diskid « Specifies a source disk.
disk-description - Describes the contents
293482.02
Exhibit B |!
1
2
3
4
5
6
7
8
9
in
A W
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
•
•
and/or purpose of the disk identified by
diskid.
lag-or-cab-file - This optional value
specifies the name of a tag file or cabinet file
supplied on the distribution disk, either in.
the installation root or in the subdirectory
specified by path, if any.
path— This optional value .specifies the
path to the directory on the distribution
disk containing source files. The path is
relative to the installation root and is
expressed as \dirnamel\dirname2... and so
forth. .;.
flags For Windows XP and later, setting
this to 0x10 forces Setup to use cab-or-tag-
file as a cabinet file name, and to use tag-
file as a tag file name. Otherwise,,//^ is
for internal use only.
tag-file — For Windows XP and later, if
flags is set to 0x10, this optional value
specifies the name of a tag file supplied on
the distribution medium, either in the
installation root or in the subdirectory
specified by path. The value should specify
the file name and extension without path
information.
XP DDK INF SourceDisksFiles Section
A SourceDisksFiles section names the
source files used during installation,
identifies the source disks (or CD-ROM
discs) that contain those files, and provides
the path to the subdirectories, if any, on the
distribution disks containing individual
files. Relevant values in an entry in the
INF would include:
filename Specifies the name of the file on
the source disk.
diskid — Specifies the integer identifying
the source disk that contains the file. This
value and the initial path to the
5wW/r(ectory), if any, containing the
named file must be defined in a
SourccDisksNames section of the same
INF.
subdir ~ This optional value specifies the
subdirectory (relative to the
SourccDisksNames path specification, if
any ) on ine source qisk wnere ine named
file resides.
26
iTOormauon relating 10 meiaoaia, saio
metadata including:
27
28
metadata rules used at least in part to
govern at least one aspect of use and/or
display of content stored within a rights
management data structure.
The drivei manufacture can specify rules in '
the INF that govern the installation anchor
use or tne driver, ror example, secuniy
entries specify an access control list for the
■ i
;
1 1
Exhibit B;
293482.02
driver. Driver developers can specify rules
in an INF file that determines behavior of
the driver package based on the user's
operating system version, including
product type and suite. Also, rules related
to logging can be specified as mentioned in
next claim element.
For Example - Access Cdntrol List
Rules
XP DDK - Tightening File-Open
Security in a Device INF File
For Microsoft Windows 2000 and later,
Microsoft tightened file-open security in
the class installer INFs for certain device
classes, including CDROM, DiskDrive,
FDC, FloppyDisk, KDC, and
SCSIAdapter.
If you are unsure whether the class installer
for your device has tightened security on
file opens, you should tighten security by
using the device's INF file to assign a value
to the DeviceCharacteristics value name
in the registry. Do this within an add-
registry-section, which is specified using
the INF AddReg directive.
XP-DDK « INF AddReg Directive
An INF can also contain one or more,
optional add-registry-section.security
sections, each specifying a security
descriptor that will be applied to all registry
values described within a named add-
registry-section.
A Security entry specifies a security
descriptor for the device. The security-
descriptor-string is a string with tokens to
indicate the DACL (D:) security
component. A class-installer INF can
specify a security descriptor for a device
class. A device INF can specify a security
descriptor for an individual device,
overriding the security for the class. If the
class and/or device INF specifies a
security-descriptor-string, the PnP
Manager propagates the descriptor to all
the device objects for a device, including
the FDO, filter DOs, and the PDO.
For Example - Operating System
Versioning
Operating-System Versioning for Drivers
!l
Exhibit B!
oo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
under Windows XP
Setup selects the [Models] section to use
based on the following rules:
If the INF contains [Models] sections for
several major or minor operating system
version numbers, Setup uses the section
with the highest version numbers that are
not higher than the operating system
version on which the installation is taking
place.
If the INF [Models] sections that match the
operating system version also include
product type decorations, product suite
decorations, or both, then Setup selects the
section that most closely matches the
running operating system.
said metadata rules including at least
one rule specifying that information
relating to at least one use or display of
said content be recorded and/or
reported.
The AddService directive can set up event-
logging services for drivers.
INF AddService Directive
An AddService directive is used to control
how (and when) the services of particular
Windows 2000 or later device's drivers are *
loaded, any dependencies on other
underlying legacy drivers or services, and
so forth. Optionally, this directive sets up
event-logging services by the
devices/dnvers as well.
Relevant sections of the directive's entry
include:
event-log-install-section -Optionally
references an INF-writer-defined section in
which event-logging services for this
device (or devices) are set up.
EventLogType — Optionally specifies one
of System, Security, or Application. If
omitted, this defaults to System, which is
almost always the appropriate value for the
installation of device drivers. For example,
an INF would specify Security only if the
to-be-installed driver provides its own
security support.
EventName — Optionally specifies a name
to use for the event log. If omitted, this
defaults to the given ServiceName.
$5. A descriptive data structure as in claim
34, in which:
said first rights management data structure
:omprises a first secure container.
The driver package is secured through a
catalog file that is signed by Microsoft's
Windows Hardware Quality Lab and
Exhibit BH
~?3
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
• •
contains the hash of each file of the driver's
package. The INF identifies the catalog
file used to sign the driver package.
36. A descriptive data structure as in claim
35, in which:
said first secure container comprises: •
The first secure container is the driver,
package secured bv a catalog file.
said content; and
The content is the driver afid related files
within the signed driver package.
rules at least in part governing at least
. one use of said content.
The rules are within the INF, which is part
of the signed driver package.
37. A descriptive data structure as in claim
36, wherein the descriptive data structure is
stored in said first secure container.
The INF is stored within the signed driver •
package.
44. A descriptive data structure as in claim
34, further including:
i
a representation of the format of data
contained in a second rights management
data structure,
The manufacture and models sections in
the INF Version section are provided for
the possibility of a single INF representing
the format for multiple drivers.
Operating system version "decorating"
relating the architecture, major and minor
operating systems versions, product and
suit information all relate to the target
environment and is used to identify the
files necessary for the target environment.
An INF file, such as in the case of
operating system targeting, can be used for
more than one driver package since it can
contain more than one catalog file.
Further an INF can address the drives
necessarv for a multi-functional device.
said second rights management data
structure differing in at least one respect
from said first rights management data
structure.
The files of the second data structure would
vary from the files on the first data
structure.
45. A descriptive data structure as in claim
44. in which:
said information regarding elements
contained within said first rights
management data structure includes
information relating to the location of at
least one such element.
INF specify where the driver files are
located using the SourceDiskNames and
SourceDiskFiles sections.
46. A descriptive daia structure as in claim
44, further including:
a first target data block including
information relating to a first target
Operating system version "decorating"
relatineithe architecture, maior and minor
'!! ....
ii
Exhibit HI
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• •
environment in which the descriptive data
structure may be used.
operating systems versions, product and
suit information all relate to the first target
environment.
47. A descriptive data structure as in claim
46. farther including:
a second target data block including
information relating to a second' target
environment in which the descriptive data
structure mav be used.
Operating system version decorating will
cover multiple operating systems.
said second target environment differing in
at least one respect from said first target
environment.
This is the reason for version decorating.
48, A descriptive data structure as in claim
46, further including:
a source message field containing
information at least in part identifying the
source for the descriptive data structure.
The provider entry in the version section of
the INF identifies the provider of the INF
file. Also, the INF contains a manufacture
section.
I !
Exhibit B il
2*
1
2
3
. 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
1NTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,920,861
58.
Product Infringing: Microsoft Reader SDK
and Microsoft Dieital Asset Server, ;
\ method of creating a first secure
container, said method including the
following steps:
Method is carried out by Microsoft's
Digital Asset Server and Microsoft's
.Litgen tools
a) accessing a descriptive data structure,
said descriptive data structure
including or addressing
.opf file describing the file structure of a
protected e-book including metadata,
manifest, and "spine" information
(1) organization information at least
in part describing a required or
desired organization of a content
section of said first secure
container, and
Organization information regarding
organization of the ebook and the
inscription as specified in the manifest and
spine information in the .opf file
(2) metadata information at least in
part specifying at least one step
required or desired in creation of
said first secure container:
Metadata constitutes rules specifying the
degree of security to use and/or XrML
rules
b) using said descriptive data structure to
organize said first secure container
contents
e-book packaging carried out by Microsoft
Litgen tool
c) using said metadata information to at
least in part determine specific
information required to be included in
said first secure container contents;
and
Step performed by Digital Asset Server;
example of specific information is
owner/purchaser information required in
the inscription process
d) generating or identifying at least one
rule designed to control at least one
aspect of access to or use of at least a
portion of said first secure container
contents.
Analyzing the metadata and finally
packaging the e-book using a particular
security level specified through the
metadata
?1. A method as in claim 58, in which:
a) said specific information required to
be included includes information at
least in part identifying at least one
owner or creator of at least a portion of
said first secure container contents.
Owner purchaser information required in
the inscription process; XrML rule
requiring display of copyright notice
Exhibit B ij
'26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,920,861
58.
Product Infringing: All products that host
the Microsoft Common Language Runtime
or Compact Common Language Runtime.
A method of creating a first secure
container, said method including the
following steps;
Method is practiced by a user using the
Common Language Runtime (CLR) or
Compact Common Language Runtime
(CCLR) to create a dynamic shared
assembly or -NET Framework SDK to
create a shared assembly
(a) accessing a descriptive data structure,
said descriptive data structure
including or addressing
.NET framework Assembly class and/or
AssernblyBuiider class and/or
Assemblylnfo file
(1) organization information at least
in part describing a required or
desired organization of a content
section of said first secure
container, and . i
This information is specified in the classes
named above and in the Assemblylnfo file.
(2) metadata information at least in
part specifying at least one step
required or desired in creation of
said first secure container;
This information is addressed in the classes
and the Assemblylnfo file, e.g., for a shared
assembly metadata will be specified that
the assembly is to be signed using specified
key
(b) using said descriptive data structure to
organize said first secure container
contents;
This step is carried out by applications and
tools using the classes and assembly info
file, including CLR (or CCLR) and .NET
Framework SDK
(c) using said metadata information to at
least in part determine specific
information required to be included in
said first secure container contents;
and
This step is carried out by applications and
tools using the assembly info file and
classes that. specify the metadata required
in the target assembly
(d) generating or identifying at least one
rule designed to control at least one
aspect of access to or use of at least a
portion of said first secure container
contents.
User may specify rules, as specified in the
.NET Framework SDK, to be placed in the
assembly manifest including such rules
requiring that all code be managed (CLR or
CCLR compliant), "Code Access Security"
permissions be supplied for use of code
supplied in the assembly, etc
64. A method as in claim 58. in which:
(a) said creation of said first secure
container occurs at a first data
processing arrangement located at a
first site;
Can be a server, PC or workstation running
CLR (or CCLR) to create a dynamic shared
assembly or .NET Framework SDK to
create a shared assembly)
(b) said first data processing arrangement
including a communications port; and
Included in virtually any compute?
(c) said method further includes:
(1) prior to said step of accessing said
descriptive data structure, said
Download of the assemblyinfo file and/or a
file containing a class calling -the
Exhibit Bii
07
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
first data processing arrangement
receiving said descriptive data
structure from a second data
processing arrangement located at
a second site,
DefineDynamicAssembly methods or
download of SDK containing
assemblybuilder class from a second site
d) said receipt occurring through said first
data processing arrangement
communications port.
Communications port is normally used for
downloading
>7. A method as in claim 64, further
comprising:
tt said first processing site, receiving said
metadata through said communications
port.
Download of the Assemblylnfo file and/or
a file containing a class calling the
DefineDynamicAssembly methods or
download of SDK containing
assemblybuilder class from a second site
i8. A method as in claim 67, in which*
a) said metadata is received separately
from said descriptive data structure.
Method practiced when metadata names are
addressed by the assembly class and a
template for the Assemblylnfo file, and
values corresponding to those names are
received through a user interface such as
provided by Microsoft Visual Studio or are
provided from a separate file
1. A method as in claim 58, in which:
a) said specific information required to
be included includes information at
least in part identifying at least one
owner or creator of at least a portion of
said first secure container contents.
The Assembly class definition includes
attributes for company name and trademark
information, and these may be required
attributes specified in the Assemblylnfo file
2. A method as in claim 58, in which:
a) said specific information required to
be included includes a copyright
notice.
The Assembly class definition includes an
attribute for copyright field that may be
required by the Assemblylnfo file
Exhibit Bli
28 '
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,920,861
58.
Product Infringing: Microsoft .NET
Framework, Visual Studio .NET, and tools
that include the Assembly Generator tool
AL.exe.
A method of creating a first secure
container, said method including the
following steps;
The Assembly Generation tool generates
a portable execution file with an assembly
manifest from one or more files that are
either Microsoft intermediate language
(MSIL) modules or resource files. When
using the tool's signing option, the
assembly becomes a secure container.
(a) accessing a descriptive data structure,
said descriptive data structure
including or addressing
The descriptive data structure is the text
file used as input by the Assembly
Generation tool.
(1) organization information at least
in part describing a required or
desired organization of a content
section of said first secure
container, and
The DDS specifies the link and or embed
directives to indicate which source files
should be included in the assembly, how
the included resource will be tagged, and if
the resource will be private. Private
resources are not visible to other
assemblies.
These tags are used to organize the
assembly into named sections.
Private attributes are used to organize the
assembly into both public and private
sections. (Tublic sections are the default.)
(2) metadata information at least in
part specifying at least one step
required or desired in creation of
said first secure container;
The text file can contain "options" relating
to how the assembly should be built and
additional information that should be
included.
Main - Specifies the method to use as
an entry point when converting a
module to an executable file.
Jii\*lQ — opCL/IUCo oil algVl ilIUll IU JJooll
all files.
Comp - Specifies string for the
Company field.
Conf - Specifies string for
Configuration field
Copy- Specifies string for Copyright
field.
Culture - Specifies the culture string to
associate with the assembly.
Delay - Variation of this option .
i jSDe'cifies whether the assembly -will-be
Exhibit B
29
fully or partially signed and whether the
public key is placed in the assembly.
Description - Specifies the description
field.
Evidence - Embeds file in the assembly
with the resource name
; Security.Evidence.
Fileversion - Specifies the file version
of the assembly.
Flags - Specifies flags for such things
as the assembly is side-by-side
compatible, assembly cannot execute
with other versions if either they are
executing in the same application
domain, process or computer.
Keyf- Specifies a file that contains a
key or key pair to sign an assembly.
Keyn - Specifies the container that holds
a key pair.
Product - Specifies string for Product
field.
Productv - Specifies string for Product
Version.
lempiaie — apecines tne assembly iro
which to inherit all assembly metadata.
Title - Specifies string for Title field.
Trade - Specifics string for Trademark
field.
F- Specifies version information.
(b) using said descriptive data structure to
organize said first secure container
contents
The following directives are used to specify
which files are to be compiled into the
assembly, how they will be tagged, and
whether or not they will be visible to other
assemblies, AKA private:
Embedfname, private J - copies the
content of the file into the assembly and
dppjies an optional name tag, ano
optional private attribute.
Linkfname, private] - file becomes part
of the assembly via a link and applies an
optional name tag, and optional private
attribute.
(c) using said metadata information to at
least in part determine specific
information required to be included in
said first secure container contents;
and
The following are some of the "options"
address what information should be
included in the secure container:
Main - Specifies the method to use as
an entry point when converting a
module to an executable file.
Comp - Specifies string for the
Company field.
Conf- Specifies string for
Configuration field
Cow- Specifies strine for CoDvrisbt
Exhibit B j !
in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
field.
Culture - Specifies the culture string to
associate with the assembly.
Description - Specifies the description
field.
Evidence - Embeds file in the assembly
with the resource name
Security.Evidence.
Fileversion - Specifies the file version
of the assembly.
Flags - Specifies flags for such things
as the assembly is side-by-side
compatible, assembly cannot execute
with other versions if either they are ,
executing in the same application
domain, process or computer.
Keyf - Specifies a file that contains a
key or key pair to sign an assembly.
Keyn - Specifies the contained that holds
a key pair.
Product - Specifies string for Product
field.
Productv - Specifies string for Product
Version.
Template - Specifies the assembly fro
which to inherit all assembly metadata.
Title - Specifies string for Title field.
Trade - Specifics string for Trademark
field.
K- Specifies version information.
(d) generating or identifying at least one
rule designed to control at least one
aspect of access to or use of at least a
portion of said first secure container
contents .
User may specify rules, as specified in the
.NET Framework SDK, to be placed in the
assembly manifest including such rules
requiring that all code be managed (CLR
compliant), "Code Access Security"
permissions be supplied for use of code
supplied in the assembly, etc.
71. A method as in claim 58, in which:
(a) said specific information required to
be included includes information at
least in part identifying at least one
owner or creator of at least a portion of
said first secure container contents.
The following "options" specifies owner
and creator information:
Comp - Specifies string for the
Company field.
Copy- Specifies string for Copyright
field.
Trade - Specifics string for Trademark
field.
72. A method as in claim 58, in which:
(a) said specific information required to
be included includes a copyright
notice.
The copy "option" specifies the string for
the for the Copyright field.
Exhibit B ; !
31 '
1
2
3
4
5
6
7
.8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1NTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
L.
Products infringing: All products that include
the Common Language Runtime or Compact
Common Language Runtime or Common
Language Infrastructure.
A method for using at least one resource
Drocessed in a secure operating environment at
i first appliance, said method comprising:
Resource may constitute a Microsoft Windows
process or hardware element; secure operating
environment is Microsoft Common Language
Runtime ("CLR") environment, Common
Language Infrastructure ("CLI") or Compact
CLR ("CCLR"); first appliance is computer
running CLR, CLI or Compact CLR. Two
infringing scenarios are set forth herein: (1)
For CLR, an administrator, using the .NET
framework, caspol.exe tool remotely configures
security policy in a .NET configuration file for
a machine, enterprise, user, or application and
that security policy interacts with rules or
evidence declared in a shared assembly
provided by another entity ("1 st scenario"); and
(2) for CLR, CLI and CCLR two assemblies
are delivered to an appliance; the first
assembly has a rule that demands permissions
from a caller in the second assembly, and the
second assembly includes a control that asserts
such permissions or provides evidence that
convinces the runtime that it has such
permissions. ("2 nd scenario"). In each scenario
Microsoft .NET "Code Access Security"
framework or "Role Based Security"
framework is used.
a) securely receiving a first entity's control at
aid first appliance, said first entity being
ocated remotely from said operating
invironment and said first appliance;
l sl scenario: first entity is the administrator,
and the policy that constitutes this entity's
control is securely received at the first
appliance through a session established
between the administrator's computer and the
first appliance, requiring security credentials
such as the administrator's login and password
or other secure session means.
2 nd scenario: first entity is creator or distributor
of the first assembly, assembly manifest
includes a control demanding or refusing or
otherwise asserting a security action on
permissions from a caller; first assembly is
integrity-checked.
b) securely receiving a second entity's control
it said first appliance, said second entity being
ocated remotely from said operating^
mvironment and said first appliance, said
econd entity being different from said first
Second entity's control is contained in shared
assembly manifest (and therefore integrity
protected) that provides evidence for obtaining
permissions, or asserts permissions; assembly
creator/distributor is located remotely and is
Exhibit B
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
entity; and
not the administrator (l sl scenario) or
creator/distributor of the first container (2 n
scenario"):
(c) securely processing a data item at said first
appliance, using at least one resource,
including securely applying, at said first
appliance through use of said at least one
resource said first entity's control and said
second entity's control to govern use of said
Udld IlCIIl.
Secure processing is carried out by CLR, CLI
or CCLR, Data item constitutes an executable
code element, an interface controlled by such
an executable, a data collection or stream (such
as media file or stream or text file) or an .
environment variable* CLR, CLI or CCLR
securelv nro cesses the rules, which will in both
scenarios govern access to methods and data
from the first assembly. The resource named in
the claim is, e.g., a Windows process that is
established by the runtime or hardware element
on the computer.
5L A method as in claim 1 wherein at least
said secure processing step is performed at an
end user electronic appliance.
Consumer computer or appliance running
Microsoft CLR, CLI or CCLR).
58. A method as in claim 1 wherein the step of
securely receiving a first entity's control
comprises securely receiving said first entity's
control from a remote location over a
telecommunications link, and the step of
securely receiving saio second enuiy s conir oi
comprises securely receiving said second
entity's control from the same or different
remote location over the same or different
telecommunications link.
l sl scenario 1 : link is LAN or WAN; 2 na
scenario: link is any telecommunications link,
including the internet.
65. A method as in claim 1 wherein the
processing step includes processing said first
and second controls within the same secure
processing environment.
Secure processing environment is CLR, CLI or
CCLR running on user's computer or
appliance.
/l. j\ meinou as in cidim 1 jutuici liiciuunig
the step of securely combining said first
entity's control and said second entity's control
in nmviHp a combined rnntrftl arrangement
In scenario 2 arrangement consists of the stack
frame, and the corresponding array of
permission grants for assemblies on the stack,
and the permission demanded by the first
assembly. Secure combining performed by the
CLR. CLI or CCLR.
76. A method as in claim 1 wherein said two
securely receiving steps are independently
nfrformed at different times.
Steps are performed at different times in both
scenarios.
84. A method as in claim 1 wherein at least one
of the first entity's control and the second
entity's control comprises at least one
executable comDonent and at least one data
component.
In both scenarios the second entity supplies an
assembly with a demand procedure executed
by the CLR, CLI or CCLR. The data
component is a specific attribute value
referenced bv the assemblv.
89. A method as in claim 1 wherein said first
appliance includes a protected processing
environment, and wherein:
Microsoft Common Language Runtime (CLR),
Common Language Infrastructure (CLI), or
Compact Common Language Runtime (CCLR)
environment.
(a) said method further comprises a step of
receiving, at said first aDDliance. said data item
Typically occurs in both scenarios.
Exhibit B
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
separately and at a different time from said
receiving said first entity's control : and
(b) said securely processing step is performed
at least in part in said protected processing
environment
Protected processing environment is the CLR,
CLIorCCLR.
Exhibit B II
'34
1
2
3
•4.
5
6
7
S
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
22. .
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft ho?ted RMS Service using
Passport
A method of securely controlling use by a third
party of at least one protected operation with
respect to a data item comprising:
A user (third party) accesses an IRM-protected
data item governed by IRM controls under two
or more RMS servers. For example, the data
item may be a IRM-protected document
The IRM controls may be associated with the
data item directly or via a IRM-protected
container holding the IRM-protected data item,
such as an IRM-protected email .with the IRM-
protected document attached.
(a) Supplying ai JcoM a HIM CUJUIUJ nuiii a moi
party to said third party;
The user acquires a first use license from a first
RMS server (first party) enabling access to, the
IRM-protected data item under the IRM rules
associated with the first RMS server. For
example: (1) the first use license from the first
RMS server permits the user to access a IRM-
protected document contained within or
attached to an IRM-protected email; or (2) the
first use license from the first RMS server
applies a first set of IRM rules to an IRM-
protected document.
(b) supplying, to said third party, at least a
second control from a second party different
ITUIIJ oalU illdl paiLjf,
The user acquires a second use license from a
second RMS server (second party) enabling
access to the IRM-protected data item under
the DRM rules associated with the second RMS
server. For example: (1) in addition to the
user being given access to an IRM-protected
email based on a first use license, a second
RMS server provides a second use license
enabling access to the IRM-protected
document attached thereto; or (2) the second
use license from the second RMS server
applies a second set of IRM rules to the IRM-
protected document.
(c) securely combining at said third party's
location, said first and second controls to form
a control arrangement;
The first and second use licenses are combined
to form a control arrangement that governs
-access to the IRM-protected data item.
(d) securely requiring use of said control
arrangement in order to perform at least one
protected operation using said data item: and
The combined first and second use licenses
govern access to the IRM-protected data item.
(e) securely performing said at least one
protected operation on behalf of said third
party with respect to said data item by at least
in part employing said control arrangement
The user performs a protected operation (e.g.,
read, prim, edit) on the IRM-protected data
item. The combined first and second use
licenses are employed to permit the protected
operation.
1
Exhibit B ii
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1?
18
19
20
21
22
23
24
25
26
27
28
23. A method as in claim 22 wherein said data
item is protected.
The data item is encrypted and protected by
IRM.
39. A method as in claim 22 further including
securely and persistently associating at least
one of: (a) said first control, (b) said second
control, and (c) said control arrangement, with
said data item. ' '■
The first and/or second use license are securely
and persistently associated with the IRM-
protected data item.
53. A method as in claim 22 wherein at least
two of the recited steps are performed at an end
user electronic appliance.
Steps performed at. a user's computer or
appliance.
60. A method as in claim 22 wherein step (a)
comprises supplying said first control from at
least one remote location over a
telecommunications link, and step (b)
comprises supplying said second control from
the same or different remote location over the
same or different telecommunications link
The first and second use licenses are received
over a telecommunications link such as a
networking or modem/serial interface.
67. A method as in claim 22 wherein at least
step (c) is performed within the same secure
processing environment at said third party's
location.
Steps are performed at user's computer or
appliance.
91. A method as in claim 22 wherein:
(a) said method further comprises supplying
said data item to said third party separately and
at a different time from supplying of said first
control to said third party; and
The first use license (first control) is received
at the time that the user accesses the data item,
which occurs separately and at a different time
from receipt of the IRM-protected data item
itself.
(b) said securely performing step comprises
performing said protected operation at least in
part in a protected processing environment.
The protected operations require decryption of
the protected content, which is done inside the
RM lockbox. The RM lockbox is protected by
mechanisms such as obfuscation, anti-
debugging, and tamper resistance.
Exhibit B|
if*
1
2
3
4
5
6
7
8
9
1.0
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
JNTERTJWST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
26.
Products infringing: Visual Studio.NET, •
.NET Framework SDK, and all products
that include the Common Language
Runtime or Compact Common Language
Runtime or Common Language
Infrastructure.
A secure method for combining data
items into a composite data item
comprising:
(a) securely providing, from a first location
to a second location, a iirsi aaia nem
having at least a first control associated
therewith;
A first signed and licensed .NET
CUIIipUIJCUl, .1NJD1 oboCIIlUiy, IJlallagCU
control and/or Web control (component) is.
the first data item. The first .NET
component developer (first location)
provides the application assembly
developer (second location) the first
component. The first control is the set of
declarative statements comprising the
T l^pncpPrnviHpr A ttrnlMltf* f flltPTTisltplv
1^1 CcnSCT I O VlUCl /\ liTJ UU IC \cil ICI 1 JdlCJ y
referred to as license controls).
(b) securely providing, from a third
locauon 10 said second location, a second
data item having at least a second control
associated therewith;
A second signed and licensed component is
II JC oCtUHU Udtct J I Clil. X IIC dCCAJIJU
component developer (third location)
provides the application assembly
developer (second location) the second
component. The second control is the set
of declarative statements comprising the
LicenseProviderAttribute.
(c) forming, at said second location, a
composite of said first and second data
items:
The application assembly developer will
include at least the two components into its
assemblv.
(d) securely combining, at said second
location, said first and second controls to
form a control arrangement; and
At the second location, the application
assembly developer uses the .NET runtime
that includes the LicenseManager.
Whenever a component is instantiated
(here, an instance of the first licensed
component), the license manager accesses
the proper validation mechanism for the
component. The license controls (first
control) for the runtime license (derived
from the design time license) are bound
into the header of the .NET application
assembly, along with the second control for
the second component.
Visual Studio.NET securely handles the
creation of runtime license controls.
Runtime licenses are embedded into (and
bound to) the executing application
assemblv. The license control attribute
Exhibit B
' 7"7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293462.02
• •
included in the first component is
customized in the second location to
express and require the runtime license. In
a more advanced scenario, the License
Complier tool can be used to create a
".licenses file" containing licenses for
multiple components, including runtime
licenses for components and classes created
by the license provider. This .licenses file
is embedded into the assembly.
The third control set comprises the runtime
licepse controls for the first and second
components (that had been bound to the
assembly), the declarative controls
provided by the application assembly
Hpvplrvnpr ?mH nnv nintimp li^pn^p*; fVvr
other components included by the
developer in application assembly. The
controls are typically integrated into the
hpaHpr of thp NPT flTmlication assemhlv
calling the first licensed component.
(e) performing at least one operation on
said composite of said first and second data
items based at least in part on said control
arrangement.
The proper execution of the application
will require that the assembly have run
time licenses for the two components.
27. A method as in claim 26 wherein said
combining step includes preserving each of
said first and second controls in said
comDOsite set.
The set of declarative statements
comprising the LicenseProviderAttribute of
both the first and second components are
included in the application assembly.
28. A method as in claim 26 wherein said
performing step comprises governing the
operation on said composite of said first
and second data items in accordance with
said first control and said second control.
The application will require the first and
second controls to operate properly when it
calls the first and second data items,
respectively.
29. A method as in claim 26 wherein said
providing step includes ensuring the
integrity of said association between said
first controls and said first data item is
maintained during at least one of
transmission, storage and processing of
said first data item.
Signing the component that has embedded
within it the license control ensures the
integrity of the association of the control
and data item.
31. A method as in claim 26 wherein said
providing step comprises codelivering said
first data item and said first control.
The component includes the license control
and therefore they are codelivered.
40. A method as in claim 26 further
including the step of securely ensuring that
at least one of (a) said first control, (b) said
second control, and (c) said control
arrangement, is Dersistentlv associated with
Each component includes the license
control. Signing the component that has
embedded within it the license control
ensures the persistence of the association of
the control and data item.
;i
Exhibit B ii
38
1
2
3
.4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
at least one of said first and second data
items.
54. A method as in claim 26 wherein at
least one of steps (c), (d) and (e) is
performed at an end user electronic
appliance. _j
At least step (e) is typically performed at an
end-user electronic appliance.
61. A method as in claim 26 wherein step
(a) comprises providing said first data item
from at least one remote location over a
telecommunications link, and step (b)
comprises providing said second data item
from the same or different remote location
over the same or different
telecommunications link.
Microsoft maintains Web sites where a
developer can get components over the
Web. These sites include references
whereby a developer may obtain
components through their Web connection.
One such site is Internet Explorer Web
Control Gallery at
ie.components.microsoft.com/webcontrols
68. A method as in claim 26 wherein step
(d) is performed within the same secure
processing environment at said second
location.
Typically, step (d) will be performed
within the same secure processing ■
environment.
79. A method as in claim 26 wherein steps
(a) and (b) are performed at different times.
The application assembly developer will
typically acquire components at different
times.
86. A method as in claim 26 wherein at
least one of the first and second controls
comprises at least one executable
component and at least one data
component.
The component must include an executable
and can include a data items as a EULA,
readme file or help file.
Exhibit B
39 ;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
35
Infringing products include: Windows
Media Player, Individualized DRM Clients
and the Secure Audio Path (SAP)
technoloev.
A method for using at least one resource
processed by a secure operating .
environment said method comprising:
securely receiving a first load module
nrnviripfl hv a fir^t entitv external to said
operating environment . *
The Individualized DRM Client (first load •
module) is a signed security upgrade DLL.
It is also bound to the hardware ID of the
machine on which it runs. It is therefore
securely delivered and integrity protected.
securely receiving a second load module
provided by a second entity external to said
operating environment, said second entity
being different from said first entity; and
A SAP certified driver is also signed and
carries with it a certificate that indicates its
compliance with SAP criteria. If it is
delivered to a PC it is secure in the sense
that it is integrity protected. This driver
would not come from the same entity as the
Individualization DLL.
securely processing, using ai icasx one
rCoUUXL'C, a Udld HCIU oooUtlalCU Wiui oflJu
first and second load modules, including
securely applying said first and second load
modules to manape use of said data item
Tf n WTM Audio file targeted to the
XX a VT ivx auuiu 1.11 ^ \cu gviwu iv uiv
Individualized DRM client carries with it a
requirement that SAP be supported to
render the WMF contents, the content is
processed for playing through a soundcard
using the WMP and by applying the DRM
client - which decrypts the content and
negotiates with the DRM kernel processing
of the content through a Secure Audio Path
that includes the SAP-certified audio
driver.
56. A method as in claim 35 wherein at
least two of the recited steps are performed
at an end user electronic appliance.
All steps occur at the user's PC that
supports the WMP and DRM client and
SAP.
63. A method as in claim 35 wherein said
first load module receiving step comprises
securely receiving said first load module
from at least one remote location over at
least one telecommunications link, and said
second load module receiving step
comprises securely receiving said second
load module from the same or different
remote location over the same or different
telecommunications link.
The Driver and DRM client are received
from distinct locations and may be
delivered securely over the Internet. They
are delivered securely in that each is
integrity protected.
70. A method as in claim 35 wherein said,
securely processing step comprises
semrelv executing said first and second.
Both load modules are executed on the PC
within the WMP/DRM Client/SAP
environment.
ii
II
--, Exhibit Bli
40
1
2
3
.4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
load modules within the same secure
processing environment.
74. A method as in claim 35 further
including securely, combining said first and
second load modules to provide a
combined executable.
Since both the DRM client and the driver ■
are DLLs in the same audio rendering
chain, they exist as an execution
environment.
81. A method as in claim 35 wherein said
securely receiving steps are performed
independently at different times.
The driver and Individualization DLL need
not be received at the same time.
94. A method as in claim 35 wherein said
secure operating environment includes a
protected processing environment, and
wherein:
said method further comprises receiving a
data item within said secure operating
environment;
said first load module receiving step is
performed separately and at a time different
from receiving said data item; and
said securely processing step is performed
at least in part in said protected processing
environment.
The Windows Media Player together with .
the Individualized DRM Client and Secure
Audio Path comprise a protected
environment for processing protected
media. The protected Windows Media ..
Files are received after the load modules
have been received and installed (licenses
cannot be acquired until load modules are
in place). The processing of the Windows
Media File occurs in the protected
environment.
Examples of SAP-certified drivers include - as indicated at
http://www.microsoft.com^
All VIA controllers with AC-97 codecs
All ALI controllers with AC-97 codec
Intel 1CH controllers with AC-97 codecs
Creative Labs SoundBlaster 16/AWE32/AWE64/Vibra
Yamaha OPL3
Yamaha DS-1
Cirrus Logic (Crystal) CS4280
Cirrus Logic (Crystal) CS4614 / CS4624
ESS Maestro 2E
USB Audio
Cirrus Logic (Crystal) CS428 1
Exhibit B ij
41
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• AH SiS controllers with AC-97 codecs
• Ensoniq ESI 370
■ NeoMagic NM6
■ Ensoniq ES 1 371/73 and CT5880
■ SoundBlaster Live!
• Aureal 8810
■ Aureal 8820
■ Aureal 8830
■ Conexant Riptide
• ESS Maestro
■ ESS ISA parts
■ NeoMagic NM5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
36.
Product Infringing: Any product Using
Common* Language Runtime (CLR), Common
Language Infrastructure (CLI), or Compact
Common Language Runtime (CCLR)
A secure operating environment system for
managing at least one resource comprising:
Microsoft CLR, CLI or CCLR (operating
environment system), managing; any of the
resources on a typical computer, including
memory, files system, communications ports,
storage devices, and higher level resources that
may use any of these or combinations of them.
(a) a communications arrangement
Communications port and Microsoft Internet
Protocol stack that may optionally use Secure •
Socket Layer protocol or IPSECpacket
security protocol, supplied with Microsoft
Windows.
(1) that securely receives a first control
of a first entity external to said
operating environment, and
Rule or evidence contained in the manifest of a
shared assembly, distributed by a first entity
that can be used by the CLR, CLI or CCLR to
determine permissions that may be needed to
cause operations on a data item or resource
controlled by another entity; shared assembly
is tamper-protected and may be received using
secure SSL or IPSEC protocol.
(2) securely receives a second control
of a second entity external to said
operating environment, said second
entity being different from said first
entity: and
Rule specified in the manifest of a second
shared (Tamper protected) assembly, that
demands permissions of callers of its methods.
(b) a protected processing environment,
operatively connected to said
communications arrangement that:
CLR, CLI or CCLR, connected to (e.g.)
communications port
(1) [] securely processes, using at least
one resource, a data item logically
associated with said first and second
controls, and
CLR, CLI or CCLR uses type safety
mechanisms, access controls, integrity
detection, and separation of domains. Data
item may be any data item that is managed by
the second assembly, which may be a member
of such assembly, and whose state or value
may be accessible through an interface to other
assemblies, and which is referenced by the first
assembly.
(2) [] securely applies said first and
second controls to manage said
resource for controlling use of said data
item.
CLR, CLI or CCLR processes the demand for
permissions from the second assembly, collects
the evidence or processes the rule from the first
assembly, and determines whether the first
assembly has the permissions to use the
resource to operate on the data item controlled
bv the second assembly.
57. A system as in claim 36 wherein said
protected processing environment is part of an
Computer or electronic appliance running
CLR, CLI or CCLR
Exhibit B i
43
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
end user electronic appliance.
64. A system as in claim 36 wherein said
communications arrangement receives said
first and second controls from at least one
remote location over at least one
telecommunications link.
Shared assemblies are designed to be received
remotely, e.g., over the internet.
75. A system as in claim 36 wherein said
protected processing environment combines
said first and second controls to provide a
combined control arrangement.
Arrangement consists of the stack frame and
and the corresponding pray of permission
grants for assemblies on the stack, and the
permission demanded by the second assembly.
82. A system as in claim 36 wherein said
communications arrangement independently
receives said first and second controls at
different times
Assemblies, including controls, are designed
for independent delivery.
88. A system as in claim 36 wherein at least
one of the first control and second controls
comprises at least one executable component
and at least one data component.
The second entity supplies an assembly with a
demand procedure (executed by the CLR, CL1
or CCLR) that includes reference to a specific
attribute value (the data component), and the
protected processing environment executes the
executable component (demand) in a manner
that is at least in part responsive to the data
component (execution is in response to the
security action supplied in the data item).
Exhibit B I!
4/
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
1NTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,982,891
36.
Infringing Product: My Services
A secure operating environment system
for managing at least one resource
comprising:
Secure operating environment is the secure
server for any .NET My Services service
(e.g. Mv Calendar. Mv Inbox")
a communications arrangement that
securely receives
Secure server receives communications
formatted using the SOAP-SEC, the
security extension to SOAP that is used by
My Service servers to receive controls.
a first control
The first control is a roleTemplate
associated with the service. The
J UJC 1 CJUJJJalC lucijuiico apcisiiic dwliUllb
(e.g. read, replace) that can be performed
against a certain scope {resource or set of
resources).
of a first entity external to said operating
pnvirnnTYipnt
The first entity is the administrator of the
QPrvpr HfltahflQf* nr ntVipr pntitv witH
5Ci vw ucnauciov, yJi uvus^i s^nixij vviui
authority over its content that sets up the
roleTemplates and scopes. That entity is
indeDendent from and located remote! v
from the secure server.
and securely receives a second control
A role element specified by a specific end
user, which is securely received by the
secure server using the SOAP-SEC
protocol.
of a second entity external to said
operating environment, said second entity
being different from said first entitv:
The end user is located remotely from the
secure server.
and a protected processing environment,
operatively connected to said
communications arrangement, that:
The protected processing environment is
the .NET security service (authorization
system) operating within the server. The
server uses the SOAP-SEC
communication protocol to receive
controls.
(a) securely processes, using at least one
resource, a data item logically associated
with said first and second controls, and
"Securely processes" is performing the
requested operation on secure server
running .NET. The system will perform the
requested operation ensuring that the user
has no access to information outside the • ...
Exhibit Bi
'45
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
scope computed.
The resource is the server software and/or
hardware used to process the two controls
and user data.
The first control is the roleTemplate for the
service. The second control ( is the role
element for an individual user.
The data item is the end user's stored
content (e.g. calendar, email inbox, etc.).
(b) securely applies said first and second
controls to manage said resource for
s-* 4 *-s~v 1 linn npo f\T CQin /"I o + o itPTO
COmrOliing Ui>c OJ bcuU Uala llCJli.
The secure server determines the result
scope (visible node set) for the operation
that is comnuted from the role element and
the roleTemplate. That result scope is used
to manage the data item.
64. A system as in claim 36 wherein said^
communications arrangement receives said
iirst and second controls rroni ai least one
remote location over at least one
telecommunications link.
The remote location is the site where the
user's or administrator's application is
ninrnno
1 UilillJig*
The telecommunication link can be the
Internet, intranet, VPN or other similar
channels.
75. A system as in claim 36 wherein said
protected processing environment
combines said first and second controls to
provide a combined control arrangement.
The role scope incorporating the role
element and the role Template.
82. A system as in claim 36 wherein said
communications arrangement
independently receives said first and
second controls at different times.
Administrator and user controls will
ordinarily be received at different times.
95. A secure operating environment system
in rlaim ^6 wherein said
communications arrangement also receives
a data item separately and at a different
time from at least one of said first control
and said second control.
This is the normal case for .NET My
Services. The user's content is normally
stored and updated independently of the
setting of scope elements, role elements and
roleTemplates.
ii
Exhibit Bi
1
2
3
. 4.
5
6
7
8
9
10
11
12
13
14
15
16
17
IS
19
20
21
22
23
24
25
26
27
28
293482.02
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
wmmmMmmmmmmsmmmmm
1. A security method comprising:
(a) digitally signing a first load module with a
first digital signature designating the first load
module for use by a first device class;
Product Infringing: Windows CE for Automotive
WCEfA is Microsoft Windows CE for Automotive,
sometimes also known by its former name; AutoPC 2.0.
With WCEfA an OEM can assign their device to a class
that only accepts certain kinds of software. The device
cari be set to accept 1) any software with the correct
processor/version 2) only certified software or 3) only
software from the OEM or Microsoft. These Security (or
Trust) levels also control to which kernel APIs and
middleware APIs the software has access.
Background:
"Microsoft Software Install Manager (SIM), a
component of WCEfA, allows you to control what can
be installed on your device platform. You can define
your platform as being open, closed or restricted to new
installations, and SIM will enforce these designations."
(D,pg.l)
"Anything can be installed on an open platform, as long
as the applications are compiled for the appropriate
processor. At the other extreme, no third-party software
can be installed on a closed platform. Only certified
applications can be installed on a restricted platform."
(D,pg.l)
"By restricting installations to compliant applications,
the risk of installing and using incompatible or harmful
software is greatly reduced, while still keeping the
device open for robust, quality applications that enhance
the user experience." (F, pg. 1 )
WCEfA also has a Security Layer whose purpose is to
"Create an abstraction layer of security surrounding ISV
applications to limit and/or deny access to key Windows
CE kernel API calls and WCEfA middleware APIs." I,
Pg.l)
A ftrst had module is a WCEfA software component in
a signed .PE file. The first device class is a device that
only allows software designated as "restricted" (or
higher) to be installed. "Restricted" software is software
that has been certified. With restricted software, the
device also implements a Security Layer functionality
that limits the kernel and WCEfA API calls that the
software can make.
jl
Exhibit B
47 ' :
"SIM Level: 1 = Restricted
Description: Only properly certified CEI (WCEfA
device installation) files can be installed on the device.
Remote execution is restricted to executables with
master key.
Key: Logo certified CEI file required. CEI files or EXEs
with master keys permitted." (F, pg. 1 ) ,
"The kernel loader calls it e^ch time' a module is loaded
by Windows CE. It returns one of the following values
that determine the module's access to kernel resources:
Value
• Meaning
OEM_CERTIFY_TRUST (2)
The module is trusted by the OEM to perform any
operation.
OEM_CERTIFY_RUN (1)
The module is trusted by the OEM to run but is
restricted from making certain function calls.
OEM_CERTIFYJFALSE (0)
The module is not allowed to run.
"(H,pg.l)
Digitally signing: "Before the kernel loads a file, it uses
the OEMCertifyModule function to verify that the file
contains the proper signature" (N, pg.l)
"Signfile.exe: This tool signs an executable with a
supplied private key. You can use the following
command parameters with this tool....-s AttribString,
specifies an optional attribute string to be included in the
signature. For example, you could add a string to
indicate the trust level of the application." (0. Pg. 1)
In the MSDN article Verifying the Signature, the sample
code segment states
"//the file has a valid signature
// we expect the trust level to be returned as signed
data...
//case 'R' : dwTnJstLevel = 0EM_CERT1 F Y_RUN" (N,
Pg.2)
"The WCEfA Security Layer isolates installed
applications from making unrestricted kernel and
WCEfA API calls. This allows the OEM to assign one of
three levels of security to applications and drivers
installed in RAM when they are loaded into the system.
The three levels are Trusted... ,Restricted..., and
Blocked. ..On the systems level, the WCEfA Security
I ■
Exhibit B I
48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
layer fits between ISV applications and isolates these
software modules from having free access to all WinCE
kernel calls and WCEfA middleware APIs." (I, pg. 1)
The developer submits their application for certification.
If it passes, then the .cei file (a form of cab file) receives
a certification key from the certifier. The signed PE is
within this .cei file. ' .
(b) digitally signing a second load module with
a second digital signature different from the
first digital signature, the second digital
signature designating the second load module
for use by a second device class having at least
one of tamper resistance and security level
different from the at least one of tamper
resistance and security level of the first device .
class; . .
A second load module is a WCEfA software component
is a signed PE file. The second device class with a
different tamper resistance or security level is a device
that is "Closed", that is, it will not allow third party to
software to be installed. A closed device only allows
trusted software to run. The Security Layer setting of
"Trusted" allows the Microsoft and OEM software full
access to kernel and middleware APIs.
In the MSDN article Verifying the Signature, the sample
code segment states
"//the file has a valid signature
// we expect the trust level to be returned as signed
data...
//case 'T' : dwTrustLevel = OEM_CERTIFY_TRUST
(N,pg.2)
"Signfile.exe: This tool signs an executable with a
supplied private key. You can use the following
command parameters with this tool..., -s AttribString,
specifies an optional attribute string to be included in the
signature. For example, you could add a string to
indicate the trust level of the application. (O. Pg. 1)
"SIM Level: 2 = Closed
Description: Platform is limited to software supplied
directly by OEM or Microsoft. Third-party applications
cannot be installed. ...
Key: Master key required for any install or remote
execution." (F, pg.l)
Related to the Security Layer, the Trusted level "is most
likely reserved for MS and OEM applications and
drivers." (1, pg. 1)
Whereas the .cei files for certified software have a
certification key (sometimes call MS Logo key), the .cei
files from Microsoft or the OEM have a master key
attached. ""Master key required for any install or remote
execution." (F, p.gl)
(c) distributing the first load module for use by
at least one device in the first device class; and
First load module is the certified software from a third
party that will be run as part of the "Restricted"///^/
device class.
"Once your application is complete, send the .cei file to
Exhibit B \\
49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
the organization that is performing validation or
certification for the OEM. They would validate it, then
either reject or return a .cei that has been stamped with a
certification key. You would then reproduce this .cei file
on CD-ROM or a compact flash card and distribute." (D,
P-g5)
"APCLoad compares the device SIM level against the
.cei file certification key, and either allows the
installation to proceed or prohibits it based on the
outcome of this comparison." (D, pg. 2)
i
"Security:. To achieve a high level of reliability,
WCEfA is carefully designed to:
- • Control the installation of certified and tested
. . software and drivers.
Limit the access of system services by installed
module.
Monitor the proper execution of software..."
(G,pg. 1)
(d) distributing the second load module for use
by at least one device in the second device
class.
The second load module is the certified software from
the OEM or Microsoft that will be run as part of the
"Closed" second device class.
"You may need to change ROM components after your
device ships, either to Fix a problem, or to provide
enhanced functionality. For this purpose, the OEM is
given a CEIBuild that adds a master key to a .cei file.
CEI files stamped with this master key can be installed
on an open, closed or a restricted platform." (D, pg. 3)
"Trusted: The application is registered as a completely
trusted module and allowed full access to the kernel
APIs and WCEfA APIs. This mode is mostly likely
reserved for MS and OEM applications and drivers.
Note that applications and drivers included in ROM are
automatically given trusted status." (1, Pg-0
References:
[D] http://msdn.microsoft.com/library/defau!t.asp?url :
[F] http://msdn.microsoft.com/library/default.asp?url :
[G] http://msdn.microsofl.com/Iibrary/defauIt.asp7url
[H] http://msdn.microsoftxom/library/default.asp?url :
[I] http://msdn.microsofl.com/library/defauIt.asp?url :
[N] http://msdn.microsoft.com/library/default.asp?url !
[O] http://msdn.microsoft.com/library/defauh.asp?url !
=/Hbrary/en-us/dnceauto/html/WinCAuto_SIM.asp
: /library/en-us/apcguide/htm/ceibuildrev_8.asp
=/library/en-us/apcguide/htm/securityrev.asp
=/library/en-us/apcguide/htm/securityrev_7.asp
/library/en-us/apcguide/htm/reliabilityrev_3.asp
=/library/en-us/wcedsn40/h tm/cgcon Verify ingSignature.asp
=/library/en-us/wceoem/htm/os_secur_6.asp
Exhibit B i!
50
1
2
. 3
4
5
.6
7
8
9
1.0
11
12
13
14
15
16
17
IS
19
20
21
22
23
24
25
26
27
28
293482 02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
5. '/• f
Product infrin{?in£r Windows Hardware
Quality Lab certification services, and ' .
operating system products that support
driver signature technology.
A software verifying method comprising:
Microsoft encourages manufacturers to
have their device drivers tested and signed.
For example, only signed drivers will ship
"in-the-box." Also, Microsoft's driver
ranking prefers signed drivers to unsigned
drivers.
Microsoft Web Page - Can't Find a Test
Cateeorv for Your Driver?
WHQL's long-term objective is to be able
to digitally sign an an vers. AJtnougn we ao
not currently have test programs for certain
driver types, such as specialized device
drivers and software filter drivers, WHQL
is investigating a long term solution to
expand the categories of drivers tested
under Windows 2000 and ultimately all
Windows operating systems. We are
already formulating a test program for anti-
virus file system filters, and plan to address
other file system filter drivers as soon as
the initial program is in place.
(a) testing a load module
The driver will be tested for each version of
the operating system it supports and against
the device class specification that apply to
the device's class.
The driver package is a load module. A
driver package contains one or more of the
following files:
A device setup information file (INF file)
A driver catalog (.cat) file
One or more optional co- installers
Microsoft operates the Window Hardware
Quality Lab, which tests drivers submitted
by driver manufactures.
The manufacturer can test their own driver
using the Microsoft testing kit and submit
the test results to WHQL when requesting a
signature. Additionally, Microsoft or a
testing facility working with Microsoft can
perform the testing.
having at least one specification associated
The manufacturer-written FNF file, which
iJ
Exhibit Bjj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
therewith,
the specification describing one or more
functions performed by the load module;
(b) verifying that the load module satisfies
the specification; and
is part of the driver package, is a
specification. Microsoft Windows drivers
n)ust have an INF file in order to be
installed.
The INF Version section specifies its
device class. One use of the device class is
to identify the specific Windows
compatibility specification that relate to the
device class. These specifications will vary
by device class in part because the function
of each device can vary among class. The
INF incorporates by reference the ,
Microsoft supplied device class-specific
specification by identifying its class in the
INF.
The INF can include operating system
"decorating" to specify the operating
system architecture, major and minor
version, product and suite the driver is
intended for and can further use this
decorating to specify what operating
systems for which it is not intended.
Because the functionality of each of the
operating systems may vary the driver must
be tested for each applicable operating
system.
Qualification Service Policy Guide -
Hardware Category Policies
You must select the correct hardware
category for your device. If you select the
wrong hardware category for your device,
your submission will fail. For example, if
you have a storage/hard drive device, but
you select storage/tape drive as your
hardware category, your submission will
fail.
Windows XP HCT 1 0.0 Q & A - Windows
XP Logos
Q: Which "Designed for Windows XP"
logos are available for my product?
A: Devices and systems qualify for a
"Designed for Windows" logo after passing
testing with the appropriate WHQL test kit
on all operating systems specified by the
logo. "Designed for Windows" Logos for Device
and System Programs lists which logos are
available for each type of product,
The Microsoft WindowsXP Hardware
Compatibility Test (HCT) kit version 1 0.0
includes the tests, test documentation, and
Exhibit Bl
52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
submission processes that are required to
participate in the Microsoft Windows Logo
Program for Hardware for the Windows
XP Professional operating system. To
qualify to use the "Designed for Windows"
logo for hardware, products must pass
testing with the Microsoft Windows HCT
kit. The HCT kits aire organized by
hardware type. * '
As mentioned above, the manufacturer can
test their own driver using the Microsoft
testing kit and submit the test results to
WHQL when requesting a signature.
Additionally, Microsoft or a testing facility
working with Microsoft can perform the
testing.
(c) issuing at least one digital certificate
attesting to the results of the verifying step.
When a driver package passes WHQL
testing, WHQL generates a separate CAT
file containing a hash of the driver binaries
and other relevant information. WHQL
then digitally signs the CAT file using
Digital Signature cryptographic technology
and sends it to the vendor. Driver signing
does not change the driver binaries or the
INF file submitted for testing.
Microsoft uses digital signatures for device
drivers to let users know that drivers are
compatible with Microsoft Windows XP,
Windows 2000, and Windows Me. A
driver's digital signature indicates that the
driver was tested with Windows for
compatibility and has not been altered since
testing.
i
• t
'i
Exhibit B !
' '53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
k$&$ ^^ISA^&ANGUAGE ^vi^i^
14.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
\ first protected processing environment
comprising:
A personal computer running Windows XP,
Windows 2000, or Windows 2003
i first tamper resistant barrier having a first
security -level-, and
The tamper resistant barrier is the Office 2003
IRM client environment and includes the
signed digital certificate identifying the user.
If the certificate is tampered with, or if certain, .
sensitive IRM processes or modules are
debugged or tampered with, the system will
cease to operate.
The first security level is the "Security Level"
which has been selected for a particular Office
Application, e.g.. Word.
it least one arrangement within the first
amper resistant barrier that prevents the first
vrotected processing environment from
sxecuting the same load module accessed by a
;econd protected processing environment
laving a second tamper resistant barrier with a
;econd security level different from the first
;ecurity level.
The arrangement that prevents a load module
from running in one PPE and not in another is
the type and characteristics of a particular Load
Module (VBA program within a document or
add-in); i.e., signed, script author, code
capabilities, etc., and the "Security Level"
settings.
Exhibit B \
54
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
18.
Infringing products include Office 2003. and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
k method for protecting a first computing
arrangement surrounded by a first tamper
resistant barrier having a first security level,
[he method including:
The first computing arrangement with a tamper
resistant barrier is the Office 2003 IRM client
environment and includes the signed digital
certificate identifying the user.
If the certificate is tampered with, or if certain,
sensitive IRM processes or modules are
debugged or tampered with, the jsystem will
cease to operate.
The computing arrangement is being protected
from; for example, viruses and malicious code.
The first security level is the "Security Level"
which has been selected for a particular Office
Application, e.g.. Word.
preventing the first computing arrangement
rom using the same software module
iccessible by a second computing arrangement
laving a second tamper resistant barrier with a
;econd security level different from the first
;ecurity level.
The arrangement that prevents a load module
from running in one computing arrangement
and not in another is the type and
characteristics of a particular software module
(VBA program within a document or add-in);
i.e., signed, script author, code capabilities,
etc., and the "Security Level" settings.
ii
f!
... .Exhibit B ii
"55 ; !
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1NTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
34.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
A protected processing environment
comprising:
A personal computer running Windows XP,
Windows 2000, or Windows 2003
a first tamper resistant barrier having a first
security level,
The first tamper resistant barrier is the Office
2003 IRM client environment and includes the
signed digital certificate identifying the user. If
the certificate is tampered with, or if certain,
sensitive IRM processes or modules are .
debugged or tampered with, the system will,
cease to operate.
The first security level is the "Security Level"
which has been selected for a particular Office
Application, e.g.. Word.
a first secure execution space, and
The secure execution space is process space
allocated by the operating system for the
Microsoft Office host application to run. This
host application (e.g., Word) executes the VBA
code within this process space.
This execution space (application) is secure
because the IRM environment takes steps to
insure that it is "trusted", the application is
signed, and the document which includes the
VBA code is protected by IRM policy and then
encrypted and signed.
at least one arrangement within the first
tamper resistant barrier that prevents the first
secure execution space from executing the
same executable accessed by a second. secure
execution space having a second tamper
resistant barrier with a second security level
different from the first security level.
The arrangement that prevents a load module
from running in one computing arrangement
and not in another is the type and
characteristics of a particular software module
(VBA program within a document or add-in);
i.e., signed, script author, code capabilities,
etc., and the "Security Level" settings.
Exhibit 8j
56 ■
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
1NTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
54.
Product Infringing: Microsoft Common Language
RuntimeandASP.NET • • .
A protected processing environment
comprising:
Microsoft Common Language Runtime and
ASP.NET
a first tamper resistant barrier having a
first security level,
TAMPER RESISTANT BARRIER
The first tamper resistant barrier is the application
domain in the CLR. The runtime hashes the
contents of each file loaded into the application
domain and compares it with the hash value in the
manifest. If two hashes don't match, the assembly
fails to load.[l]
Also "Code funning in one application cannot
directly access code or resources from another
application. The common language runtime
enforces this isolation by preventing direct calls
between objects in different application domains.
Objects that pass between domains are either
copied or accessed by proxy "[2]
SECURITY LEVELS
The security levels of the application domain if
different by setting the trust level assigned to an
outside application using the "trust" element in the
web.config for the ASP.NET application.
Syntax-
<trust level="Full/High/Low/None"
originUrl="url'7>
Example-
<twst level="High"
originUri=http://www.SomeOtherCompany.com/defaul
t.aspx/>
m
a first secure execution space, and
it least one arrangement within the first
amper resistant barrier that prevents the
irst secure execution space from
sxecuting the same executable accessed
>y a second secure execution space
laving a second tamper resistant barrier
vith a second security level different from
he first security level.
The application domain is the execution space for a
particular application.
The second secure execution space is another
application domain that has a different trust level for
an outside application.
If second app domain gives Full trust to the outside
application; whereas the first one doesn't, the first
app domain won't be able to execute the application
that requires full trust permission.
References:
Qi
Exhibit BH
57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www.microsoft.com/germany/ms/msdnbiblio/do
tnetrk/doc/assembly.doc
[2] msdn.Microsoft.com/library/en-
us/cpguide/html/
cpconapplicationdomainsoverview.asp?frame=tr
ue
[ 7] LaMacchia,etc, .NET Framework Securi ty.
Addision-Wesley, 2002
Exhibit B|
58 !
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
mmmmmmmmmmmwmm
34.
A protected processing environment
comprising:
a first tamper resistant barrier having a first
security level,
Product Infringing: Products containing
Microsoft Common Language Runtime or
Compact Common Language Runtime and
products implementing the Common Language
Infrastructure specification.
Microsoft Common Language Runtime and
.NET Framework SDK: ■'
TAMPER RESISTANT BARRIER
The first tamper resistant barrier is the
application domain in the CLR. The runtime ■
hashes the contents of each file loaded into the
application domain and compares it wi th the . •
hash value in the manifest. If twb hashes don't
match, the assembly fails to load. [1]
Also "Code running in one application cannot
directly access code or resources from another
application. The common language runtime
enforces this isolation by preventing direct
calls between objects in different application
domains. Objects that pass between domains
are either copied or accessed by proxy ."[2]
SECURITY LEVELS
Application domains have different security
levels by setting security policy of the
application domain programmatically. [3]
"It has different security based on code-based
security model of.NET Administrators and
hosts use code-access security to decide what
code can do, based on characteristics of the
code itself regardless of what user is executing
the code. The code characteristics are called
evidence and can include the Web site or zone
from which the code was downloaded, or the
digital signature of the vendor who published
the code. "
"When the security manager needs to
determine the set of permissions that an
assembly is granted by security policy, it starts
with the enterprise policy level. Supplying the
assembly evidence to this policy level will
result in the set of permissions granted from
thai policy level. The security manager
typically continues to collect the permission
sets of the policy levels below the enterprise
policy [Including the app domain! in the same
■ Ml
Exhibit Bii
59
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
fashion. These permission sets are then
intersected to generate the policy system
permission set for the assembly. All levels must
allow a specific permission before it can make
it into the granted permission set for the
assembly"
Example of granted permission sets from a .
Condition: All code, Permission Set: Nothing
Condition: Zone: Internet, Permission Set: Internet Condition: URL:
www.monash.edu.au, Permission Set: MonashPSet
Condition: Strong Name: m-Commerce t Permission Set: m-
CommercePSet [4]
Another difference in security levels can be
whether the verification process is turned off or
on, "Managed code must be passed through a
verification process before it can be run
(unless the administrator has granted
permission to ship the verification). The
verification process determines whether the
code can attempt to access invalid memory
addresses or perform some other action that
could cause the process in which it is running
to fail to operate properly. Code that passes
the verification test is said to be type-safe. The
ability to verify code as type-safe enables the
common language runtime to provide as great
a level of isolation as the process boundary, at
a much lower performance cost " [5]
a first secure execution space, and
The application domain is the execution space
for a particular application.
at least one arrangement within the first tamper
resistant barrier that prevents the first secure
execution space from executing the same
executable accessed by a second secure
execution space having a second tamper
esistant barrier with a second security level
different from the first security level.
The second secure execution space is another
application domain that has a different security
policy than the first.
If second app domain's security policy doesn't
give any permission to code from internet
zone, but first app domain does, then the code
would run in first app domain and not in
second. [6]
References:
[i]
www.microsoft.com/germany/ms/msdnbibl
io/dotnetrk/doc/assembly.doc
[2] msdn. Microsoft. com/library/en-
us/cpguide/himl/
cpconapplicationdprnainsoverview.asp?fra
me=true "
li
Exhibit Bli
60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[3] LaMacchia.etc. .NET Framework
Securi ty. Addision- Wesley, 2002, p.l 13
[4] Watkins, Demien, "An Overview of
Security in the .NET Framework", from
MSDN Library, January 2002
[5] same as [2]
[6] msdn.Microsoft.com/library/en-
us/cpguide/html/
cpconapplicationdomainlevelsecuritypolicy
.asp?frame=true
.' - ii
Exhibit B II
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,157,721
58.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
\ method for protecting a first computing
irrangement surrounded by a first tamper
■esistant barrier having a first security level,
he method including:
The first computing arrangement surrounded by
a tamper resistant barrier is the Office 2003
IRM client environment and includes the
signed digital certificate identifying the user. If
the certificate is tampered with, or if certain,
sensitive IRM processes or modules are
debugged or tampered with, the system will
cease to operate.
The first security level is the "Security Level"
which has been selected for a particular Office
Application, e.g.. Word.
jreventing the first computing arrangement
Tom using the same software module accessed
jy a second computing arrangement having a
;econd tamper resistant barrier with a second
;ecurity level different from the first security
evel.
The computing arrangement that prevents a
software module from running in one
computing arrangement and not in another is
the type and characteristics of the particular
software module (VBA program within a
document or add-in); i.e., signed, script author,
code capabilities, etc.j and the "Security Level"
settings.
Exhibit.B
1
2
3
4
5
6
7
8
9
TO
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
2.
Product Infringing: Windows Media Rights
Manager and Windows Media' Player
A system including:
(a) a first apparatus including,
Consumer's computer, as shown in WMRM
SDK ,
(1) user controls,
Consumer's computer, as shown in WMRM
SDK.
(2) a communications port,
Consumer's computer, as shown in WMRM
SDK '
(3) a processor,
Consumer's computer, as shown in WMRM
SDK
(4) a memory storing:
Consumer's computer, as shown in WMRM
SDK -
(i) a first secure container containing
a governed item, the first secure
container governed item being at
least in part encrypted; the first
secure container having been
received from a second apparatus:
Secure container (packaged Windows Media
file), received by consumer's computer from
"Content provider" ( WMRM SDK, Step 3),
which contains encrypted governed item
("Encrypted content")
(ii) a first secure container rule at least
in part governing an aspect of
access to or use of said first secure
container governed item, the first
secure container rule [sic], the first
secure container rule having been
received from a third apparatus
different from said second
apparatus: and_
Rights portion of signed license, received by
consumer's computer from "License issuer"
(WMRM SDK, Step 9)
(5) hardware or software used for
receiving and opening secure
containers, said secure containers each
including the capacity to contain a
governed item, a secure container rule
being associated with each of said
secure containers:
Windows Media Player and Windows Media
Rights Manager
(6) a protected processing environment at
least in part protecting information
contained in said protected processing
environment from tampering by a user
of said first apparatus, said protected
processing environment including
hardware or software used for
applying said first secure container
rule and a second secure container rule
in combination lo at least in part
govern at least one aspect of access to
or use of a governed item contained in
a secure container: and
1st and 2nd rules consist of any two valid rules
as specified in the Window Media Rights
Manager SDK; protected processing
environment includes Windows Media Rights
Manager and Windows processes for
protecting operation of Windows Media Rights
Manager. Licenses can be used to convey
multiple rules.
(7) hardware or software used for
Anv hardware or software employed in
Exhibit B
transmission of secure containers to
other apparatuses or for the receipt' of
secure containers from other
apparatuses.
transmitting Windows Media files, including
for example consumer's computer's
communication port and Windows Media
Player fWMRM SDK. Step 3^>
Exhibit B
64
1
2
3
4
5
6
7
8
9
iO
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v- MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
K system including:
i first apparatus including,
lser controls,
i communications port,
i processor,
i memory storing:
A device with user controls, a communications
port, a processor and memory. For example,
the user controls may be a keyboard and
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
i first secure container containing a governed
tern, the first secure container governed item
>eing at least in part encrypted; the first secure
container having been received from a second
ipparatus;
An encrypted IRM-governed email received
from a remote computer. The encrypted IRM-
govemed email contains an encrypted IRM-
governed email message.
i first secure container rule at least in part
governing an aspect of access to or use of said
irst secure container governed item, the first
;ecure container rule, the first secure container
ule having been received from a third
ipparatus different from said second
ipparatus: and ,
The first secure container rule is received from
the RMS server in the form of a use license.
This use license contains rules generated by the
RMS server specifically for the user (or user's
group)
lardware or software used for receiving and
>pening secure containers,
;aid secure containers each including the
capacity to contain a governed item, a secure
container rule being associated with each of
said secure containers;
i protected processing environment at least in
Dart protecting information contained in said
Drotected processing environment from
^mpering by a user of said first apparatus,
said protected processing environment
including hardware or software used for
applying said first secure container rule and a
second secure container rule in combination to
at least in nart govern at least one aspect of
The RM-enabled device contains hardware or
software for receiving and opening secure
emails.
The secure email has the capacity to contain an
IRM-governed email message, with a rule
being associated with each email.
The rules associated with the secure emails are
rules that come as part of the original email as
well as rules that come back from the RMS.
Protected information on the RM-enabled
device is protected by the use of at least
cryptographic techniques.
The rule governing the email works together
with an additional rule to determine what
access to or use (if any) are allowed with
respect to the IRM-governed email message.
Fotiiexamnle. the additional rule mav be
Exhibit B
1
2
3
4
5
6
7
8
9
!D
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
access to or use of a governed item contained
in a secure container; and
received together with the rule in the use
license.
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses.
The device includes hardware or software used
for transmitting or receiving secure emails. For
example, RM-enabled OUTLOOK is designed
to transmit and receive encrypted 1RM-
governed emails lo/from other devices. .
Exhibit B !|
66
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
\ system including:
i first apparatus including,
aser controls,
i communications port,
i processor,
i memory storing:
A device with user controls, a communications
port, a processor, and memory. For example,
the user controls may be a keyboard and
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
i first secure container containing a governed
tern, the first secure container governed item
?eing at least in part encrypted; the first secure
container having been received from a second
ipparatus;
The first secure container is an encrypted IRM-
protected document.
This encrypted IRM-governed document is, for
example, received from a remote computer, as
an attachment to an IRM-governed email or
downloaded from a document server or web
site.
i first secure container rule at least in part
governing an aspect of access to or use of said
[irst secure container governed item, the first
secure container rule, the first secure container
-ule having been received from a third
apparatus different from said second
apparatus; and '
The first secure container rule is received from
the RMS server in the form of a use license.
This use license contains rules generated by the
RMS server specifically for the user (or user's
group).
hardware or software used for receiving and
opening secure containers,
said secure containers each including the
:apacity to contain a governed item, a secure
:ontainer rule being associated with each of
said secure containers;
The RM-enabled device contains hardware or
software for receiving and opening secure
documents.
The secure documents have the capacity to
contain IRM-governed content, with a rule
being associated with each secure document.
The rules associated with said secure
documents are the rules that come as part of the
originally received document as well as rules
that come back from the RMS server.
a protected processing environment at least in
pan protecting information contained in said
protected processing environment from
tampering by a user of said first apparatus,
Protected information on the RM-enabled
device is protected by the use of at least
cryptographic technique.
The rule governing the document works
Exhibit Bi
-67 !
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
said protected processing environment
including hardware or software used for
applying said first secure container rule and a
second secure container rule in combination to
at least in part govern at least one aspect of
access to or use of a governed item contained
in a secure container; and .
together with an additional rule to determine
what access to or use (if any) are allowed with
respect to the IRM-governed document. For
example, the additional rule may be associated
with an email to which the document was
attached, or received together with the rule in
the use license. . .
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses.
The device includes hardware or software used
for transmitting or receiving secure documents.
For example, RM-enabled OUTLOOK is
designed to transmit and receive'to/from other
devices emails with IRM-governed documents
attached thereto. •
Exhibit
68
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
\, system including:
l first apparatus including,
iser controls,
communications port,
processor,
memory storing:
A device with user controls, a communications
port, a processor and memory. ' For example,
the user controls may be a keyboard and '
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
first secure container containing a governed
tem, the first secure container governed item
eing at least in part encrypted;
first secure container rule at least in part
overning an aspect of access to or use of said
rst secure container governed item; and
The first secure container containing a
governed item is an 1RM protected email.
Both the email and attachment are IRM
protected, each having their own rules, each
being encrypted.
The rule governing the email (a first secure
container rule) governs said first secure
container governed item.
second secure container containing a digital
srtificate:
The second secure container is the IRM
protected attachment's derived license request
object.
The license request object contains the
Publishing license and a signed digital
certificate.
ardware or software used for receiving and
pening secure containers,
lid secure containers each including the
ipacity to contain a governed item, a secure
>ntainer rule being associated with each of
n'd secure containers:
The RM (IRM) enabled computer has software
for receiving and opening secure containers.
The IRM secure containers have capacity to
contain a governed item, with a secure
container rule being associated with each of
said secure containers.
protected processing environment at least in
ul protecting information contained in said
otected processing environment from
mpering by a user of said first apparatus,
id protected processing environment
eluding hardware ot software used for
Protected information on the RM-enabled
computer is protected by the use of at least
cryptographic techniques.
The rules governing the email itself (first
1 1
, Exhibit B
69 ;
applying said first secure container rule and a
second secure container rule in combination to
at least in part govern at least one aspect of
access to or use of a governed item contained
1 in a secure container: and
secure container rule) and the rules governing
the attachment work together to determine what
access to or use (if any) will be allowed with
respect to the governed item.
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses.
IRM-enabled applications, e.g., OUTLOOK,
are designed to transmit and receive RM
secured containers to/from other computers.
Exhibit B
70
■ : i
]
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 j
20 j
21
22
23
24
25
26
27
28
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
i system including:
first apparatus including,
ser controls,
communications port,
processor,
memory storing:
A device with user controls, a communications
port, a processor and memory. For example,
the user controls may be a keyboard and '
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
first secure container containing a governed
em, the first secure container governed item
eing at least in part encrypted;
The first secure container containing a
governed item is an IRM protected document,
which is an attachment within an IRM
protected email message. The governed item is
the document's content.
Both the email message and attachment are
encrypted and have associated usage rules due
to IRM protection.
first secure container rule at least in part
yverning an aspect of access to or use of said
rst secure container governed item: and
A use license for the IRM protected document
specifies rules governing access to or use of
said first secure container governed item.
second secure container containing a digital
Ttificate;
The second secure container is the IRM
protected email message.
The IRM protected attachment includes a
publishing license and an owner certificate,
both of which are signed XrML digital
certificates.
The attachment (including embedded
certificates) is contained within the IRjM
protected email message (said second secure
container).
rdware or software used for receiving and
►ening secure containers,
id secure containers each including the
pacity to contain a governed item, a secure
ntainer rule being associated with each of
id secure containers:
The RM (IRM) enabled computer has software
for receiving and opening secure containers.
The IRM secure containers have capacity to
contain a governed item, with a secure
container rule being associated with each of
said secure containers.
)rotected processing environment at least in
rt protecting information contained in said
Hected processing environment from
Protected information on the RM-enabled
computer is protected by the use of at least
cryptographic techniques. L
Exhibit B
71
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
tampering by a user of said first apparatus,
said protected processing environment
including hardware or software used for
applying said first secure container rule and a
second secure container rule in combination to
at least in part govern at least-one aspect of
access to or use of a governed item contained
in a secure container; and ■
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses.
The rules governing the attachment (first secure
container rule) and the rules governing the
email message (second secure container rule)
work together to determine what access to or
use (if any) will be allowed with respect to the
governed item. • •
RM-enabled applications, e.g., OUTLOOK, are
designed to transmit and receive RM secured
containers to/from other computers.
4. A system as in claim 3,
said memory storing a rule associated with
said second secure container, said rule
associated with said second secure container at
least in part governing at least one aspect of
access to or use of said digital certificate.
All parts of the attachment (including
embedded signed XrML licenses/certificates)
are protected by the enclosing email message
and governed by the associated email rules
(second secure container rule).
Exhibit B i|
72
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
CLAIM LANGUAGE
CLAIM OF INFRINGEMENT
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
A system including:
a first apparatus including,
user controls,
a communications port,
a processor,
a memory storing:
A device with user controls, a coirnmunications
port, a processor and memory. For example,,
the user controls may be a keyboard and '
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive;
or RAM.
a first secure container containing a governed
item, the first secure container governed item
being at least in part encrypted;
first secure container containing a governed
item is an IRM protected email.
Both the email and attachment are IRM
protected, each having their own rules, each
being encrypted.
a first secure container rule at least in part
governing an aspect of access to or use of said
first secure container governed item; and
The rule governing the email (a first secure
container rule) governs said first secure
container governed item.
a second secure container containing a digital
signature, the second secure container being
different from said first secure container;
The second secure container is the IRM
protected attachment's derived license request
object.
The license request object contains the
Publishing license and a signed digital
certificate.
hardware or software used for receiving and
opening secure containers, said secure
containers each including the capacity to
contain a governed item, a secure container
rule being associated with each of said secure
containers;
The RM (IRM) enabled computer has software
for receiving and opening secure containers.
The IRM secure containers have capacity to
contain a governed item, with a secure
container rule being associated with each of
said secure containers.
a protected processing environment at least in
part protecting information contained in said
protected processing environment from
tampering by a user of said first apparatus,
said protected processing environment
including hardware or software used for
annlvine said first secure container rule and a
Protected information on the RM-enabled
computer is protected by the use of at least
cryptographic techniques.
The rules governing the email itself (first
secure container rule"! and the rules governing
Exhibit B;
i. 73 v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
second secure container rule in combination to
at least in part govern at least one aspect of
access to or use of a governed item contained
in a secure container: and
hardware or software used for transmission of
secure containers to other, apparatuses or for
the receipt of secure containers, from other
apparatuses. :
the attachment will work together to determine
what access to or use (if any) will be allowed
with respect to the governed item.
RM-enabled applications, e.g., OUTLOOK, are
designed to transmit and receive RM secured
containers to/from other computers.
Exhibit B||
74 "
1
2
3
A
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,1 85,683
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
A system including:
a first apparatus including,
user controls,
a communications port,
a processor,
a memory storing:
A device with user controls, a communications
port, a processor and memory. For example,
the user controls may be a keyboard and
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
a first secure container containing a governed
item, the first secure container governed item
being at least in part encrypted;
first secure container containing a governed
item is an IRM protected email.
Both the email and attachment are IRM
protected, each having their own rules, each
being encrypted.
a first secure container rule at least in part
governing an aspect of access to or use of said
first secure container governed item; and
The rule governing the email (a first secure
container rule) governs said first secure
container governed item.
a second secure container containing a digital
signature, the second secure container being
different from said first secure container;
The second secure container is the IRM email
attachment.
This attachment and its publishing license are
signed.
hardware or software used for receiving and
opening secure containers, said secure
containers each including the capacity to
contain a governed item, a secure container
rule being associated with each of said secure
containers;
The RM (IRM) enabled computer has software
for receiving and opening secure containers.
The IRM secure containers have capacity to
contain a governed item, with a secure
container rule being associated with each of
said secure containers.
a protected processing environment at least in-
part protecting information contained in said
protected processing environment from
tampering by a user of said first apparatus,
said protected processing environment
including hardware or software, used foi
annlving said first secure container rule and a
Protected information on the RM-enabled
computer is protected by the use of at least
cryptographic techniques.
The rules governing the email itself (first
secure container rule"! and the rules governing
Exhibit B
75
1
2
3
.4.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
second secure container rule in combination to
at least in part govern at least one aspect of
access to or use of a governed item contained
in a secure container; and
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers' from other
a pparatuses. -_i
the attachment work together to determine what
access to, or use (if any) will be allowed with
respect to the governed item.
RM-enabled applications, e.g., OUTLOOK,are
designed to transmit and receive RM secured
containers to/from other computers.
Exhibit B
76 ::
1
2
3
INTERTRUS T TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
5 is.
6
? II A system including:
Infringing products include Office 2003 and
included applications, arid Server 2003,
including Microsoft hosted RMS Service using
Passport
g a first apparatus including,
p J user controls,
IQ II a communications port,
] ] a processor,
12 I a memory storing:
A device with user controls, a communications
port, a. processor and memory-. For example,
the user controls may be a keyboard and
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may bp a hard-drive
or RAM.
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
a first secure container containing a governed
item, the first secure container governed item
being at least in part encrypted;
The first secure container containing a
governed item is an IRM protected document,
which is an attachment within an IRM
protected email message. The governed item is
the document's content.
Both the email message and attachment are
encrypted and have associated usage rules due
to IRM protection.
a first secure container rule at least in part
governing an aspect of access to or use of said
first secure container governed item: and
a second secure container containing a digital
signature, the second secure container being
different from said first secure container;
use license for the IRM protected document
specifies rules governing access to or use of
said first secure container governed item.
The second secure container is the IRM
protected email message.
The IRM protected attachment includes a
publishing license and an owner certificate,
both of which are signed XrML digital
certificates.
The attachment (including embedded
certificates) is contained within the IRM
protected email message (said second secure
container).
hardware or software used for receiving and
opening secure containers, said secure
containers each including the capacity to
contain a governed item, a secure container
rule being associated with each of said secure
I containers:
The RM (IRM) enabled computer has software
r or receiving and opening secure containers.
The IRM secure containers have capacity to
contain a governed item, with a secure
container rule being associated with each of
said secure containers.
| a protected processing environment at least in
part protecting information contained in said
Protected information on the RM-enabled;
computer is protected hv the use of at least
Exhibit B i|
11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
protected processing environment from
tampering by a user of said first apparatus,
said protected processing environment
including hardware or software used for
applying said first secure container rule and a
second secure container rule in combination to
at least in part govern at least one aspject of
access to or use of a governed item contained
in a secure container: and • ■
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses.
6. A system as in claim 5,
said memory storing a rule at least in part
governing an aspect of access to or use of said
digital signature.
cryptographic techniques.
The rules governing the attachment (first secure
container rule) and the rules governing the
email message (second secure container rule)
work together to determine what access to or
use (if any) will be allowed with respect to the
governed item.
RM-enabled applications, e.g., OUTLOOK, are
designed to transmit and receive RM secured
containers to/from other computers.
All parts of the attachment (including
embedded signed XrML licenses/certificates)
are protected by the enclosing email message
and governed by the associated email rules
(second secure container rule). r _
Exhibit B II
'78 :l
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
28.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
A system including:
a first apparatus including;
user controls,
a communications port,
a processor,
a memory containing a first rule,
. A device with user controls, a communications
port, a processor and memory. For example,
the user controls may be a keyboard and*
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memory may be a hard-drive
or RAM.
The first rule governs use of an IRM protected
document (e.g., an IRM rule permitting a .
document to be read by specified users or
barring access to IRM-governed information
from specified users, applications, or other
principals).
hardware or software used for receiving and
opening secure containers,
said secure containers each including the
capacity to contain a governed item, a secure
container rule being associated with each of
said secure containers;
The RM-enabled device contains hardware or
software for receiving and opening secure
containers.
The secure email has the capacity to contain an
IRM-governed email message, with a rule
being associated with each email.
a protected processing environment at least in
part protecting information contained in said
protected processing environment from
tampering by a user of said first apparatus,
said protected processing environment
including hardware or software used for
applying said first rule and a secure container
rule in combination to at least in part govern at
least one aspect of access to or use of a
gOVCIJJCU IICJIJ, cUJU
Protected information on the RM-enabled
device is protected by the use of at least
cryptographic techniques.
The secure container rule is an IRM rule
governing access to the IRM protected
document (e.g., a rule permitting editing by
specified users).
The rule governing the email works together
wiui on auuiuuijai rule io ucicrrnine wnax
access to or use (if any) are allowed with
respect to the IRM-governed email message
(the document's content). For example, the
additional rule may be received together with
the rule in the use license, may be associated
with a publishing license, may be associated
with user certification, revocation lists, or
exclusion policies, or may be received from
anv other source.
hardware or software used for transmission of
The device includes hardware or software used
Exhibit B
79
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
•
•
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses; and
for transmitting or receiving secure containers.
For example, RM-enabled OUTLOOK is
designed to transmit and receive encrypted
IRM-eoverned emails to/from other devices.
a second apparatus including:
user controls,
a communications port,
a processor,
a memory containing a second rule,
A device with user controls, a communications
port, a processor and memory. For example,
the user controls may be a keyboard and
mouse, the communications port may be a NIC
card with an Ethernet port, the processor may
be a CPU, and the memoiy may be a hard-drive
orRAM.
The second rule governs use of an IRM . '
protected document (e.g., an IRM rule ^
permitting a document to be read by specified
users or barring access to IRM-governed
information from specified users, applications,'
or other principals').
hardware or software used for receiving and
opening secure containers,
said secure containers each including the
capacity to contain a governed item, a secure
container rule being associated with each of
said secure containers;
The RM-enabled device contains hardware or
software for receiving and opening secure
containers.
The secure email has the capacity to contain an
IRM-governed email item, with a rule being
associated with each secure containers.
a protected processing environment at least in
part protecting information contained in said
protected processing environment from
tampering by a user of said apparatus,
said protected processing environment
including hardware or software used for
applying said second rule and a secure
container rule in combination to at least in part
govern at least one aspect of access to or use
of a governed item;
Protected information on the RM-enabled
device is protected by the use of at least
cryptographic technique.
The secure container rule is an IRM rule
governing access to the IRM protected
document (e.g., a rule permitting editing by
specified users).
The rule governing the email works together
with an additional rule to determine what
access to or use (if any) are allowed with
respect to the IRM-governed item (the
document's content). For example, the
additional rule may be received together with
the rule in the use license, may be associated
with a publishing license, may be associated
with user certification, revocation lists, or
exclusion policies, or may be received from
any other source.
hardware or software used for transmission of
secure containers to other apparatuses or for
the receipt of secure containers from other
apparatuses; and
The device includes hardware or software used
for transmitting or receiving secure containers.
For example, RM-enabled OUTLOOK is
designed to transmit and receive encrypted
IRM-eoverned emails to/from other devices.
an electronic intermediary, said intermediary
including a user rights authority clearinghouse.
The RMS Server (Microsoft hosted or
otherwise) constructs a 'use license' specific to
a piece content and targets it to a specific user.
\\
Exhibit B II
80
1
2
3
4
5
6
7
S
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29. A system as in claim 28, said user rights
authority clearinghouse operatively connected
to make rights available to users.
The RMS server sends use licenses to users
through a communications port, e.g., Ethernet,
serial, satellite, "the internet"
These use licenses include rights.
The clearing functionality of the RMS is
operatively connected to the RMS server.
■ -j I
.. .Exhibit B]
81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
JNTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
28.
Product Infringing: Windows Media Rights
Manager and Windows Media Player
A system including:
(a) a first apparatus including;
Consumer's computer, as shown in WMRM
SDK
(1) user controls,
Consumer's computer, as shown, in WMRM
SDK •
(2) a communications port,
Consumer's computer, as shown in WMRM
SDK
(3) aprocessor,
Consumer's computer, as shown in WMRM
SDK
Memory is in the consumer's computer, first
rule is a right received as part of a signed
license (WMRM SDK. Step 9^
(4) a memory containing a first rule,
(5) hardware or software used for
receiving and opening secure
containers, said secure containers
each including the capacity to contain
a governed item, a secure container
rule being associated with each of
said secure containers:
Consumer's computer receives Windows
Media file (secure container) via
communications port (WMRM SDK, Step 3)
and applies secure container rule or rules via
Windows Media Player and Windows Media
Rights Manager.
(6) a protected processing environment at
least in part protecting information
contained in said protected processing
environment from tampering by a
user of said first apparatus, said
protected processing environment
including hardware or software used
for applying said first rule and a
secure container rule in combination
to at least in part govern at least one
aspect of access to or use of a
governed item: and
Processing environment includes Windows
Media Rights Manager and Windows
processes for protecting operation of Windows
Media Rights Manager
(7) hardware or software used for
transmission of secure containers to
other apparatuses or for the receipt of
secure containers from other
apparatuses; and
Hardware or software employed in transmitting
Windows Media files, including for example
consumer's computer's communication port
and Windows Media Player (WMRM SDK,
Step 3) "
(b) a second apparatus including:
2nd consumer's computer
(1) user controls.
2nd consumer's computer
(2) a communications port.
2nd consumer's computer
(3) a processor.
2nd consumer's computer
(4) a memory containing a second rule,
Memory is in the 2nd consumer's computer,
first rule is a Right received as part of a signed
license (WMRM SDK, Step 9)
(5) hardware or software used fci
receiving and opening secure
containers, said secure containers
each including the capacity to contain
2nd consumer's computer receives Windows
Media file (secure container) via
communications port (WMRM SDK, Step 3)
and applies secure container rule or rules via
Exhibit B ii
: r7 82 !i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
a governed item, a secure container
rule being associated with each of
said secure containers:
Windows Media Player and Windows Media
Rights Manager.
(6) a protected processing environment at
least in part protecting information
contained in said protected processing
environment from tampering by a
user of said apparatus; said protected
processing environment including
hardware or software used for
applying said second rule and a
secure container rule in combination
to at least in part govern at least one
aspect of access to or use of a
governed item:
Processing environment includes Windows
Media Rights Manager and Windows
processes for protecting operation of Windows
Media Rights Manager; processing
environment applies multiple rules in
combination •
(7) hardware or software used for
transmission of secure containers to
other apparatuses or for the receipt of
secure containers from other
apparatuses: and
Hardware or software employed in transmitting
Windows Media files, including for example
2 nd consumer's computer's communication
port and Windows Media Player, (WMRM
SDK, Step ,3)
(c) an electronic intermediary, said
intermediary including a user rights
authority clearinghouse.
License Issuer
29. A system as in claim 28,
said user rights authority clearinghouse
operatively connected to make rights available
to users.
License Issuer, operatively connected to
consumer's computer (WMRM SDK, Step 9)
Exhibit B
83
1
2
3
4
5
6
7
S
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
i>:^^fe^eiMM;OF ; I^FRINGEME«a!»^
56.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
^ method of securely delivering an item,
ncluding the following steps:
performing an authentication step;
The RM-enabled application, e.g., Word,
OUTLOOK, PowerPoint, etc., must be
authenticated before it is allowed access to or
use of the content.
associating a digital signature with said item;
The RM protected content is signed .
ncorporating said item into a first secure
electronic container, said item being at least in
Dart encrypted while in said container,
said incorporation occurring in an apparatus
containing a first protected processing
environment, said protected processing
environment at least in part protecting
nformation contained in said protected
processing environment from tampering by a
jser of said apparatus:
RM-protected content is packaged with rules
and encrypted.
Protected information on the RM enabled
computer is protected by the use of at least
cryptographic techniques.
n said protected processing environment,
issociating a first rule with said first secure
electronic container, said first rule at least in
part governing at least one aspect of access to
)r use of said item: „
The IRM-protected document (said item) has
an associated rule or rules.
authenticating an intended recipient of said
tern;
A recipient of IRM-protected content must be
authenticated before being allowed access to or
use of the content.
ransmitting said first secure electronic
container and said first rule to said intended
ecipient: and
The document is sent via IRM-protected email
as an attachment.
jsing a second protected processing
environment, providing said intended recipient
jeeess to at least a portion of said item,
;aid access being governed at least in part by
;aid first rule and by a second rule present at
;aid intended recipient's site.
The email is received at another IRM-enabled
computer.
The first said rule is the rule(s) associated with
the attached document, and the second rule is
the rule(s) received that govern the email itself.
Exhibit B !|
'8*4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
126.
A method of providing trusted intermediary
services including the following steps:
at a first apparatus, receiving an item from
a second apparatus;
associating authentication information with
said item;
incorporating said item into a secure digital
container;
associating a first rule with said secure
digital container, said first rule at least in
part governing at least one aspect of access
to or use of said item;
Product Infringing: Windows Hardware
Quality Labs Authentication services,
Windows operating Systems (such as
Windows XP) that support the driver
signing features, and any product using
Driver Signing feature
Microsoft's Window Hardware Quality .
Labs (WHQL) (first apparatus) receiving
driver package (item) from independent
hardware vendor (IHV) or any driver
developer (second apparatus').
The signature information of a security
catalog file (see next element of claim)
names Microsoft as the publisher.
WHQL's signature is intended to signify
that a driver has complied with Microsoft's
Windows compatibility and/or Secure
Audio Path (SAP) specifications.
The hashes of the files making up the
driver package are included in the signed
security catalog file for the driver package.
The catalog file makes the driver package z
secure digital container.
Driver developers specify rules in an INF
file that govern the installation and/or use
of the driver. For example, as specified in
the INF, the installation events will vary
based on the user's operating system
version, which includes architecture,
product type and suite. The INF logging
rules and can further specify security rules
that are evaluated when the driver is used.
White Paper - Operating-System
Versioning for Drivers under Windows XP
Setup selects the [Models] section to use
based on the following rules:
If the INF contains [Models] sections for
several major or minor operating system
version numbers, Setup uses the section
with the highest version numbers that are
not higher than the operating system
version on which the installation is taking
place.
.Exhibit B
85
293482.02
If the INF [Models] sections that match the
operating system version also include
product type decorations, product suite
decorations, or both, then Setup selects the
section that most closely matches the
running operating system.
Suppose, for example, Setup is running on
Windows XP Professional -(which is
operating system version 5.1), and it finds
the following entry in a [Manufacturer]
section:
%FooCorp%=FooMfg, NT, NT,5,NT.5.5,
NT....0x80
In this case, Setup will look for a [Models]
section named [FooMfg.NT.5j: Setup will .
also use the [FooMfg.NT.5] section if it is
running on a Datacenter version of
Windows .NET Server, because a specific
major/minor version takes precedence over
the product type and suite mask.
For Example, to create an INF that is
intended for use only on Windows XP, the
INF file could contain the following:
[Manufacturer]
"Foo Corp." = FooMfg, NT.5.1, NT.5.2
[FooMfg.NT.5.1]
'Too Device" = FooDev, *F001234
Note the omission of the undecorated
[FooMfg] section, as well as the omission
of the [FooMfg.NT.5.2] section. This INF
file would appear to be "empty" on any
operating system other than Windows XP.
Access Control List Rules
XP DDK -Tightening File-Open
Security in a Device INF File
For Microsoft Windows 2000 and later,
Microsoft tightened file-open security in
the class installer INFs for certain device
classes, including CDROM, DiskDrive,
FDC, FloppyDisk, HDC, and -
SCSIAdapter.
If you are unsure whether the class installer
for your device has tightened security on
file opens, you should lighten security by
using the device's INF file to assign a value
to the DeviceCharacteristics value name
in the registry. Do this within an add-
Exhibit B
86
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
transmitting said secure digital container
and said first rule to a third apparatus, said
third apparatus including a protected
processing environment at least in part
protecting information stored in said
protected processing environment from
tampering by a user of said third apparatus;
said third apparatus receiving said secure
digital container and said first rule:
said third apparatus checking said
authentication information; and
registry-section, which is specified using
the INF AddReg directive.
Microsoft, IHV, driver developer or any
other party distributing signed driver
packages transmitting the driver package to
user (third apparatus). Since the driver
package includes the INF file, it will
include the first rule. The protected
processing environment (PPE) is Windows
operating system with its pertinent services
such as Windows File Protection, signature
and cryptographic functions, Plug and Play
and Set-up and their related default and
modifiable policies. The PPE checks for
signatures on driver packages and detects
situations when the driver package's
signature does not match the driver
package-
Additionally, the Digital Rights Manager
(DRM) components (kernel and client) will
contribute to making the third apparatus a
PPE when the SAP functionality is ^
invoked. [That is, when SAP is required, an
additional signature is checked to verify
that the driver is SAP compliant and that it
hasn't been tampered with.]
The end-user receiving the driver package.
A step in the Plug and Play/Setup driver
installation process checks signature at
installation. Additionally, the DRM
component will check the DRM signature
when invoking DRM functionality.
White Paper - Driver Signing for Windows
During driver installation, Windows
compares the hashes contained in the
driver's CAT file with the computed hash
of the driver binaries to determine whether
the binaries have changed since the CAT
file was created. If a driver fails the
signature check or there is no CAT file,
what happens next depends on the driver
signing policy in effect on the user's
system:
If the policy is set to Ignore, the driver
installs silently, with no message to the
user.
If the policy is set to Warn, a message
warns the user the driver is unsigned,
which means that it has not passed WHOL
Exhibit B 11
87
2
3
. 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
testing and might cause problems. The
Warn dialog, box gives an administrative
user the option to override the warning and
install an unsigned driver anyway.
If the policy is set to Block, the system
displays a message that informs the user
that the driver, cannot be installed because
it is not digitally signed.
said third apparatus performing at least one
action on said item, said at least one action
being governed, at least in part, by said
first rule and by a second rule resident at
said third apparatus prior to said receipt of
said secure digital container and said first
rule, said action governance occurring at
least in part in said protected processing
environment.
The action would be installing and/or using
the driver. For example, installation
policies govern the actions (ignore, warn or
block) taken based on whether a driver is
signed or not and these policies (rule) are
resident on the third apparatus. Another
rule is the "ranking" of available drivers
when selecting a driver to install. This
ranking process includes whether a driver
is signed or not. Another rule is the
security access rules that the class installer
that will be used to install the device has.
In the case qf DRM, the content will have
associated rules governing its use in a SAP-
complaint environment. These rules (the
content license) can be resident at the third
apparatus particularly in the case when a
user is installing a new (SAP-compliant)
device that will render previously acquired
content or in the case that acquired content
cannot be rendered until the user installs
required drivers.
For example, when installing:
The XP driver ranking process and the
modifiable default related to signature state
of the driver act as the second rule.
The driver will be installed only if the first
and second rules validate. ■
Operating-System Versioning for Drivers
under Windows XP
Default System Policy for Unsigned
Drivers
If the user installs an unsigned driver for a
designated device class from disk or from
another web site, Windows XP/Windows
2000 displays a warning that the driver is
unsigned, thus helping lo preserve the
integrity of the released system. However,
bv default, Windows XP/Windows 2000
293482.02
Exhibits B
88 W
does not block installation of unsigned
drivers, so vendors can get urgent hot-fixes
to customers while waiting for WHQL to
test the fix.
In Windows XP, the default driver signing
policy can be changed through the
Hardware tab of the System applet on the .
Control Panel. A user can change the
policy to be more restrictive, but not less
restrictive on a per-user basis (that is, a
user can change Warn to Block, but not to
Ignore). An administrator can change the
policy to be either more restrictive or less
restrictive for. all users on the system by
checking "Apply the setting as system
default."
Driver Ranking
Under Windows XP, the driver ranking
strategy has been modified as follows:
If an INF file is unsigned, and if neither the
[Models] section nor the [DDInstall]
section is decorated with an NT-specific
extension, the INF file is considered
" suspect" and its rank is shifted into a
higher range (that is, worse) than all
hardware and compatible rank matches of
INF files for which one (or both) of those
criteria are met.
The new ranking ranges will now be:
0 - OxFFF
(DRIVER J1ARDWAREIDJIANK) :
"trusted" hardware-ID match
0x1000- 0x3FFF : "trusted" compatible-
ID match
0x8000 - 0x8FFF : "untrusted" hardware-
D match
0x9000 - OxBFFF : "untrusted"
compatible-ID match
OxCOOO - OxCFFF : "untrusted"
undecorated hardware-ID match (possibly a
Windows 9x-only driver)
OxDOOO - OxFFFF : "untrusted"
undecorated compatible-ID match
(possibly a Windows 9x-only driver)
11. A method as in claim ]26, in which
*d authentication information at least in
I part identifies said first apparatus and/or a
The authentication information will
identify Microsoft, operator of the first
apparatus.
Exhibit B
8*9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
user of said first apparatus.
ii
1 1
. Exhibit B Ij
90 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
126.
A method of providing trusted intermediary
services including the following steps:
at a first apparatus, receiving an item from
a second apparatus;
associating authentication information with
said item;
Products Infringing: Microsoft Software
that includes the Authenticode feature,
.NET Framework SDK, Visual Studio,
Microsoft technology that supports a digital
signature function (such as ActiveX),
Windows Installer technology.
Infringement is based on use Microsoft
ActiveX control, Cabinet file, Microsoft
Windows Installer, Authenticode and
Software Restriction Policy technologies.
For example, a software publisher
distributing a signed application that has
licensed ActiveX controls embedded
within it would practice this method.
The item is unsigned software such as an
ActiveX control or any software packaged
in a cabinet file or Microsoft Installer
(.msi) file. Within the development
environment, multiple software developers
(working on a second apparatus) will send
their unsigned software to a secure location
(first apparatus) containing the entity's
private signing key. An example entity
would be a software publisher.
Source: Deploying ActiveX Controls on
the Web with the Internet Component
Download
The holder of the digital certificate
Keeping your digital certificate safe is very
important. Some firms (including
Microsoft) do not keep their signature file
on site. The signature is kept with the
Certificate Authority and files are sent
there for signing.
Signing the software associates the
software publisher's identify with the
software.
Source: Packaging ActiveX Controls
Signing Cabinet Files
A .cab file can be digitally signed like an
ActiveX control. A digital signature
provides accountability for software
developers: The signature associates a
software vendor's name with a given file,
signature is applied to a .cab file (or
control) using the Microsoft Authenticode®
ii
• • -!j
Exhibit Bj
91 ;
1
2
3
.4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
technology.
The .cab tool set assists software
. developers in applying digital signatures to
.cab files by allowing a developer to
allocate space in the .cab file for the
signature.
incorporating said item into a secure digital
container;
Signing software either directly or within a
package (cabinet or .msi file) secures it in a
digital container. ...
Alternately, the signed ActiveX control
could be placed into a signed cabinet file.
293482.02
associating a first rule with said secure
digital container, said first rule at least in
part governing at least one aspect of access
to or use of said item;
The first rule would be the licensing ,
support code within the ActiveX control
and/or conditional syntax statements when
the software is within a signed .msi file.
When the software is within a signed
cabinet file, the first rule can be a rule
contained in the software, as. is the case
when an ActiveX control is packaged in a
signed cabinet file.
First rule, in the case of ActiveX:
When an application with a licensed
ActiveX control is started, an instance of
the control usually needs to be created.
The application accomplishes this by
making a call to CreatelnstanceLic and
passing the license key embedded in the
application as a parameter in the call. The
ActiveX control performs a string
comparison between the embedded license
key and its own copy of the license key. If
the keys match, an instance of the control is
created and the application can execute
normally.
Source: Using ActiveX Controls to
Automate Your Web Pages
Run-time licensing
Most ActiveX Controls should support
design-time licensing and run-time
licensing. (The exception is the control that
is distributed free of charge.) Design-time
licensing ensures that a developer is
building his or her application or Web page
with a legally purchased control; run-time
licensing ensures that a user is running an
application or displaying a Web page that
contains a legally purchased control.
Design-time licensing is verified by control
containers such as Visual Basic. Microsoft
Access, or Microsoft Visual InterDev®.
Before these containers allow a developer
to place a control on a form or Web page.
Exhibit B!;
> 92 •
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
they first verify that the control is licensed
by the develpper or content creator. These
containers verify that a control is licensed
by calling certain functions in the control:
If the license is verified, the developer can
add it.
Run-time licensing is also an issue for
these containers (which are sometimes
bundled as part of the final application); the
containers again call functions in the
control to validate the license that was
embedded at design time.
transmitting said secure digital container
and said first rule to a third apparatus, said
third apparatus including a protected
processing environment at least in part
protecting information stored in said
protected processing environment from
tampering by a user of said third apparatus;
The third apparatus is a user computer or
an application server. The protected
processing environment (PPE) is Windows
operating system, Internet Explorer (IE)
and pertinent operating IE services such as
Windows File Protection and security,
signature and cryptographic functions
related to code signing and related policies.
The PPE checks for signatures on software
or the software packages and detects
situations when the signature does not
validate as an indication that tampering
mav have occurred with the item.
said third apparatus receiving said secure
digital container and said first rule;
Having the third apparatus receiving said
secure digital container and said first rule is
typical of networked computing
environments.
said third apparatus checking said
authentication information; and
Examine the signature information includes
verifying that signature was creating using
the private key that corresponds to the
public kev of the publisher.
said third apparatus performing at least one
action on said item, said at least one action
being governed, at least in part, by said
first rule and by a second rule resident at
said third apparatus prior to said receipt of
said secure digital container and said first
rule, said action governance occurring at
least in part in said protected processing
environment.
The action would be installation and/or use
of the distributed software. The second
rule can be software restriction policies
resident on the machine, which can be
invoked at installation and/or runtime.
.NET Framework Secuntv - DC 259
and
White Paper - Using Software Restriction
Policies in Windows XP and Windows
.NET Server to Protect Against
Unauthorized Software
Software Restriction Polices is a policy-
driven technology that allows
dUJ IJ JilJMJ a IUI 2> IU oCl vUUt IUvJJUIJ UuoCU
rules that determine whether an application
is allowed to execute. (.NET Framework
Security - pg 259)
Exhibit Bij
' 93 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
For example, administrators can set rules
for all Windows Installer packages coming
from the Internet or Intranet zone.
As part of the DLL load mechanisms,
Software Restriction Policies is invoked
and starts to check its most specific rules.
Software Restriction Policies get invoked .
prior to an .exe being able to run.
The four types of rules are - hash,
certificate, path, and zone.
Note: The hash and certificate rules relate
directing to the signature information
whereas, the path and zone rules do not.
127. A method as in claim 126, in which
said authentication information at least in
part identifies said first apparatus and/or a
user of said first apparatus.
The software publisher, user of first device,
is identified in the authentication
information. .
■ ti
Exhibit B |!
' 94
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
1NTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
126.
Product infringing: Visual Studio .NET,
.NET Framework SDK, Authenticode,
Products that contain the .NET CLR,
Compact CLR or CLI.
A method of providing trusted intermediary
services including the following steps:
at a first apparatus, receiving an item from
a second apparatus;
First apparatus is a software build or
deployment services computer that has
access to signing key. The item may be a
program, graphic, media object or other
resource, from a developer computer, or
archive ( second apparatus^
associating authentication information with
said item;
Associating a cryptographic hash with the
file that will contain this item for the
purpose of ensuring the authenticity of the
item, along with names and attributes that
are desired to be associated with the item
for identification purposes.
incorporating said item into a secure digital
container;
Producing signed, strongly named
assembly that contains this assembly and
associated attributes.
associating a first rule with said secure
digital container, said first rule at least in
part governing at least one aspect of access
to or use of said item;
Including any security demands (such as
members of the Microsoft .NET
Framework SDK Public Class
CodeAccessSecurity Attribute) as part of
the assemblv.
transmitting said secure digital container
and said first rule to a third apparatus, said
third apparatus including a protected
processing environment at least in part
protecting information stored in said
protected processing environment from
tampering by a user of said third apparatus;
The third apparatus is a user computer or
an application server. The third
apparatus's protected processing
environment is Windows NT and the .NET
CLR, CLI and/or compact CLR.
Information is protected from tampering
because user is not administrator, user runs
code on server, a share on another
computer, or over a network. Further this
information is protected by a number of
protection mechanisms that are included
with the Windows NT and CLR, CLI'
and/or compact CLR distributions.
said third apparatus receiving said secure
digital container and said first rule;
Having the third apparatus receiving said
secure digital container and said first rule is
typical of networked computing
environments.
said third apparatus checking said
authentication information; and
The .NET Framework, when the assembly
is installed into the global assembly cache
CGAC). verifies the strong name of
assemblies. This process includes
verifying that signature was creating using
the private kev that corresponds to the
Exhibit B1|
95
1
2
3
4
5
6
7
8
9
10
11
12
.13
14
15
16
17.
18
19
20
21
22
23
24
25
26
27
28
public key of the publisher.
said third apparatus performing at least one
action on said item, said at least one action
being governed, at least in part, by said
first rule and by a second rule resident at
said third apparatus prior to said receipt of
said secure digital container and said first
rule, said action governance occurring at
least in part in said protected processing
environment.
The action is executing code that is the
item or using code that renders the item.
Action is governed by security demands on
code that calls the item or on code that calls
code included in the .NET assembly that
manages said item. The second rule is the
machine, enterprise, user, and application,
configuration file resident rules. Typically
these configuration files will be populated
before the arrival of most new assemblies
in a virtual distribution environment This
action governance occurs in the protected
processing environment of the CLR, CLI
and/or compact CLR. ■
127. A method as in claim 126, in which
said authentication information at least in
part identifies said first apparatus and/or a
user of said first apparatus.
The authentication information will '
identify the .NET Assembly Class
company name and trademark attributes
that identify the apparatus or user of the
first apparatus as being a member of an
entity or a branded source (brand nameV
Exhibit B !i
96
1
2
3
.4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTER TRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
1NTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,185,683
126.
A method of providing trusted intermediary
services including the following steps:
at a first apparatus, receiving an item from
a second apparatus;
associating authentication information with
said item;
Product infringing: Visual Studio .NET,
.NET Framework SDK, Authenticode,
Products that contain the .NET CLR,
Compact CLR or CLI.
The item is an unsigned .NET assembly,
which can include, but not be limited to, a
Web control, multi-file assembly or
component. Within the development
environment, multiple assembly builders
(working on a second apparatus) will send
their unsigned assembly to a secure 1
location (first apparatus) containing the
entity's private signing key. An example
entity would be a software publisher.
.NET Security Framework - pg 130-1
Describes this exact practice and further
explains the "Delay Signing Assemblies"
feature of .NET that accommodates the fact
that "many publishers will keep the private
key in a secure location, possibly
embedded in specially designed
cryptographic hardware."
"Delay signing is a technique used by
developers whereby the public key is added
to the assembly name as before, granting
the assembly its unique identity, but no
signature is computed. Thus, no private
key access is necessary."
Strong naming the assembly binds the
entity's/publisher's name into the
assembly. The public portion of the key
used to strongly name the assembly is
placed in the assembly manifest. Other
assemblies or applications can contain
references to the strong names of strongly
named assemblies such as in the case of
applications that contain references to a set
of compliant .NET core libraries. Strong
naming compliant .NET core libraries with
the European Computers Manufactures
Association's fECMA) key is a way to
allow any publisher to develop compliant
.NET core libraries that can be
authenticated by other applications.
•.a
1!
Exhibit Bii
'"97
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
incorporating said item into a secure digital
container; .
associating a first rule with said secure
digital container, said first rule at least in
part governing at least one aspect of access
to or use of said item;
.NET Security Framework - pg 1 24
"Strong naming is a process whereby an
assembly name can be further qualified by
the identity of the publisher"
.NET Security Framework - pg 133
The publisher must advertise its public key
or keys in an out-of-band fashion (such as
documentation shipped with the product or
on the cdmpany Web site)
.NET Security Framework - pg 130
The goal of the ECMA key is to allow a
slightly more generalized strong name
binding than usual, namely allowing
binding to the publisher of the runtime in
use, rather than to a fixed publisher.
Signing the assembly places it in a secure
container.
.NET Framework Security - pg 527
Strong named assemblies cannot be
modified in any manner without destroying
the strong name signature.
Applied Microsoft .NET Framework
Programming - pg 89
Strongly Named Assemblies Are Tamper-
Resistant
When the assembly is installed into the
GAC, the system hashes the contents of the
file containing the manifest and compares
the hash value with the RSA digital
signature value embedded within the PE
file (after unsigning it with the public key).
If the values are identical, the file's
contents haven't been tampered with and
you know that you have the public key that
corresponds to the publisher's private key.
In addition, the system hashes the contents
of the assembly's other files and compares
the hash values with the hash values stored
in the manifest file's FileDef table. If any
of the hash values don't match, at least one
of the assembly's files has been tampered
with and the assembly will fail to install
into the GAG. ;
A .NET assembly includes imperative and
declarative statements/rules that will
govern its access or use. For example,
role-based security or strong name
demands in the assembly can be the first
rule.
MSDN on Role-Based Security
Applications that implement role-based
security grant rights based on the role
Exhibit B !j
98 "
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
associated with a principal object. The
principal object represents the security
context under which code is running. The
PrincipalPermission object represents the
identity and role that a particular principal,
class must have to run. To implement the'
PrincipalPermission class imperatively,
create a new instance of the class and
initialize it with the name and role that you
want users to have to access your code.
MSDN on StrongNameldentityPermission
StrbngNameldentityPermission class
defines the identity permission for strong
names. StrongNameldentityPermission
uses this class to confirm that calling code
is in a particular strong-named assembly.
transmitting said secure digital container
and said first rule to a third apparatus, said
third apparatus including a protected
processing environment at least in part
protecting information stored in said
protected processing environment from
tampering by a user of said third apparatus;
The third apparatus is a user computer or
an application server. The software
publisher transmitting the .NET assembly
to an end-user with a CLR. The third
apparatus's protected processing
environment is Windows NT and the .NET
CLR, CLI and/or compact CLR.
Information is protected from tampering
because user is not administrator, user runs
code on server, a share on another
computer, or over a network. Further this
information is protected by a number of
protection mechanisms that are included
with the Windows NT and CLR, CLI
and/or compact CLR distributions.
said third apparatus receiving said secure
digital container and said first rule;
The end-user receiving the signed
assembly.
said third apparatus checking said
authentication information; and
The .NET Framework, when the assembly
is installed into the global assembly cash
(GAC), verifies the strong name of
assemblies. This process includes
verifying that signature was creating using
the private key that corresponds to the
public key of the publisher.
Applied Microsoft .NET Framework
Programming - pg 89
Strongly Named Assemblies Are Tamper-
Resistant
As above.
.NET Framework Security - pg 128
The verification of any strong name
assemblies is performed automatical!)
when needed by the .NET Framework.
Any assembly claiming a strong name but
Exhibit B
99'
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
failing verification will fail to install into
the global assembly or download cache or
will fail to load at runtime.
said third apparatus performing at least one
action on said item, said at least one action
being governed, at least in part, by said
first rule and by a second rule resident at
said third apparatus prior to said receipt of
said secure digital container and said first
rule, said action governance occurring at
lea**t in nart in <;aiH rjrntprtpH nrnrpccino
environment.
Within the CLR (protected processing
environment), the execution of the program
will depend upon whether the user is of the
"role" required of the assembly or whether
the calling assembly is from a strong-
named assembly specified ih the "item"
assembly (alternate first rules) and only if
assembly complies with the local code
access security policy (second rule), as an
example of one of the types of rules that
.NET Framework allows to be resident on
the third apparatus..
127. A method as in claim 126, in which
said authentication information at least in
Dart identifies said first apparatus and/or a
user of said first apparatus.
The user of the first apparatus is the developer
at the assembly deyeioper. Strong naming
binds the publisher's name to assembly.
:.aMacchia, Brian, etc, .NET Framework Security . Addison- Wesley, 2002
Richter, Jeffrey, Applied Microsoft .NET Framework Programming . Microsoft Press, 2002
Exhibit B
100
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
•
1NTERTRUST TECHNOLOCL
INTERTRUST INFI
FOR U.S. PATE
•
tS CORP. v. MICROSOFT CORP.
UNGEMENT CHART
INT NO. 6,253,193
i
Infringing products include Windows Media
Player and Windows Media Rights Manager
SDK
A method comprising:
(a) receiving a digital file including music;
Reference is made to the Windows Media
Rights Manager SDK Programming Reference
("WMRM SDK"), attached hereto as Exhibit
A. Media Player infringement analysis is set
forth herein using the example of a music - file
downloaded and transferred to a portable audio
player.
Consumer receives a Windows Media file
. (WMRM SDK. Step 3 % i
(b) storing said digital file in a first secure
memory of a first device;
Windows Media file is stored in consumer's
computer and all use of it is securely managed
by the Secure Content Manager in Windows
Media Plaver.
(c) storing information associated with said
digital file in a secure database stored on said
first device, said information including at least
one budget control and at least one copy
control, said at least one budget control
including a budget specifying the number of
copies which can be made of said digital file;
and said at least one copy control controlling
the comes made of said digital file:
License is stored in the License Store (WMRM
SDK, Step 5); license includes Rights which
may include AllowTransfertoNonSDMI,
AllowTransfertoSDMI, (or Allow Transfer to
WM-D-DRM-Compliant devices or other
types of devices), and, TransferCount- the
number of times a piece of content may be
transferred to the device (a transfer budget).
17
18
19
20
(d) determining whether said digital file may
be copied and stored on a second device based
on at least said copy control;
Windows Media Rights Manager enforces the
license restrictions
(e) if said copy control allows at least a portion
of said digital file to be copied and stored on a
second device,
Windows Media Rights Manager determines
whether the AllowTransferToNonSDMI or
AllowTransferToSDMI rights are present.(Or,
Allow Transfer to WM-D-DRM-Compliant
devices or other tvpes of devices."!
21
22
(l)copying at least a portion of said digital
file;
Transfer to the SDMI or non-SDMI portable
device (Allow Transfer to WM-D-DRM-
Compliant devices or other types of devices), if
allowed bv Windows Media Rights Manager
23
24
(2)transferring at least a portion of said
digital file to a second device
including a memory and an audio
and/or video output:
Portable device necessarily includes at least a
memory and audio output 1
25
(3)storing said digital file in said memory
oi said second device: and
Music file is transferred to the portable device
26
(4)including playing said music through
said audio output.
Portable device plays the music
27 p
2. A method as in claim ], further
:omprising:
28
,a) at a time substantially contemporaneous
vith said transferrins steD. recording in said
Counter reflecting TransferCount is —
decremented bv Windows MpH;* P,'oii*c
ii
. .Exhibit B !!
101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
first device information indicating that said
transfer has occurred. .
Manager
3. A method as in claim 2, in which:
(a) said information indicating that said
transfer has occurred includes an encumbrance
on said budget.
Counter decrement reduces the allowable
number of budgeted transfers
4. A method as in claim 3. in which;
(a) said encumbrance operates to, reduce the
number of copies of said digital file authorized
bv said budget.
Counter decrement reduces the allowable
number of budgeted transfers
Exhibit B 1
102
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• •
1NTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,253,193
Infringing products include Windows Media
Player and Windows Media Rights Manager
SDK . ■
11. A method comprising:
(a) receiving a digital file;
Consumer receives a Windows Media file
(WMRM SDK. SteD 3)
(b) storing said digital file in a first secure
memory of a first device;
Windows Media file is stored in consumer's,
computer and all use of it is securely managed
by the Secure Content Manager in Windows
Media Plaver.
(c) storing information associated with said^
digital file in a secure database stored on said
first device, said information including a first
control;
License information is stored in the License
Store (WMRM SDK, Step 10), license ^ .
information includes Rights. License Rights
may include AllowTransferToNonSDMI,
AllowTransferToSDMI (Allow Transfer to
WM-D-DRM-Compliant devices or other
tvpes of devices^ TransferCount
(d) determining whether said digital file may
be copied and'stored on a second device based
on said first control.
WMRM determines whether transfer rights are
included in license (WMRM SDK, Step 5)
(1) said determining step including
identifying said second device and
determining whether said first control
allows transfer of said copied file to
said second device, said determination
based at least in part on the features
present at the device to which said
copied file is to be transferred:
Portable Device Service Provider Module
identifies the portable device as either SDMI-
compliant or non-SDMI-compliant (or WM-D-
DRM Compliant or other types of supported
devices) and provides this information to
Windows Media Device Manager, which
allows the transfer based on whether the device
identification matches the License Rifiht.
(e) if said first control allows at least a portion
of said digital file to be copied and stored on a
second device,
If Windows Media Rights Manager determines
whether the AllowTransferToNonSDMI or
AllowTransferToSDMI rights are present (or
Allow Transfer to WM-D-DRM-Compliant
devices or other types of devices), the
following steps are performed:
(1) copying at least a portion of said
digital file;
Transfer to the SDMI or non-SDMI (Allow
Transfer to WM-D-DRM-Comphant or other)
portable device, if allowed by Windows Media
Rights Manager
(2) transferring at least a portion of said
digital file to a second device
including a memory and an audio
and/or video output;
Portable device necessarily includes at least a
memory and audio output
(3) storing said digital file in said memory
of said second device; and
Music file is stored in the portable device
(4) rendering said digital file through said
outnut.
Portable device plays the music
, ji
Exhibit B %
103
1
2
3
■ 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
•
•
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
1NTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,253,193
Product infringing: Windows Media Player,
Windows Media Player, Windows Media
Rights Manager SDK •
15. A method comprising:
(a) receiving a digital file;
Consumer receives a Windows Media file
(YWMRM SDK. Step 3^1
(b) an authentication step comprising:
(1) accessing at least one identifier
associated with a first device or with a
user of said first device; and
License includes identity of user's Windows
Media Player: WM Players-capable of playing
protected content must be individualized.
They contain a unique (Individualized) DRM
client component to which protected WMA
content licenses are bound. Content licenses
are bound to this DRM individualization
module as the result of a challenge sent from
the Client to the WMLM service. The
challenge contains information about
Individualized DRM Client (in the form of an
encrypted Client ID) and capabilities of the
machine (e.g. support for Secure Audio Path
(SAP), version of the WMRM SDK supported
in the plaver.
(2) determining whether said identifier is
associated with a device and/or user
authorized to store said digital file;
Music file cannot be used unless identifier
indicated in License matches user's Windows
Media Player identifier (that is, the
Individualized DRM Client to which the
license is bound must be the same one
supported bv the device^.
(c) storing said digital file in a first secure
memory of said first device, but only if said
device and/or user is so authorized, but not
proceeding with said storing if said device
and/or user is not authorized;
Music file will not be processed through
Windows Media Player, including protected
rendering buffers, unless the identifiers match.
Protected WMA file can be stored on client
even if unauthorized but it cannot be decrypted
and enter into the secure boundary (first secure
memory) of the player unless appropriately
licensed.
(d) storing information associated with said
digital file in a secure database stored on said
first device, said information including at least
one control;
License includes Rights and is stored in the
License Store, Rights may include
Allow 1 ransler J oNonoL/Mi,
AllowTransferToSDMI, (or Allow Transfer To
WM-D-DRM-CompliantDevice or bther
device) TransferCount
(e) determining whether said digital file may
be copied and stored on a second device based
on said at least one control;
Windows Media Rights Manager enforces the
license restrictions
(f) if said at least one control allows at least a
portion of said digital file to be copied and
stored on a second device.
If appropriate rights are present, the following
sieps are performed:
iW convinp at least a Dortion of said
Transfer to the SDMI or non-SDMI (or WM-
I;
it
Exhibit B jj
104 * !l
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
digital file;
D-DRM Compliant or other) portable device, if
allowed bv Windows Media Rights Manager
(2) transferring at least a portion of said
digital file to a second device
including a memory and an audio
and/or video output;
Portable device necessarily includes at least a
memory and audio output
(3) storing said digital .file in said memory
of said second device: and
Music file is stored in the portable device
(4) rendering said digital file through said
output.
Portable device plays the music
36. A method as in claim 15. in which:
said digital file is received in an encrypted
form;
and further comprising:
decrypting said digital file after said
authentication step and before said step of
storing said digital file in said memory of said
first device.
Protected Windows Media File is encrypted,
WMP will not decrypt file until license is
processed. Licenses are bound to
Individualization DLLs, which are bound to
Hardware ID. Ind. DLL and Hardware ID
must be verified as the Ids to which the license
is bound - this is the authentication process.
(Recall that this module was created based in
part on receipt of the Client Hardware ID or
fingerprint and the license was create based in
part on receipt of a challenge from the client
indicating the security properties (SAP-ready,
SDK support, etc.) of the client).
Exhibit B!
"105 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,253,193
19.
Infringing products include Office 2003 and
included applications, and Server 2003,
including Microsoft hosted RMS Service using
Passport
\ method comprising:
eceiving a digital file at a first device;
Receiving a digital file such as a Word
Document, email, Excel spreadsheet,
PowerPoint presentation, or other content at a
recipient's device. Such content may be
received via email, received on removable ■
media, such as floppy disk, downloaded and ,
viewable by Internet Explorer, e.g., a web page
possibly containing graphics and/or audio data,
etc.
:stablishing communication between said first
levice and a clearinghouse located at a
ocation remote from said first device;
If the digital file is subject to rights
management, and the recipient tries to open the
digital file in an IRM-enabled application, the
IRM-enabled application contacts a remote
RMS, i.e., clearinghouse for a use license.
aid first device obtaining authorization
nformation including a key from said
;learinghouse;
If the recipient is authorized to access or use
the digital file, the RMS creates a license for
the digital file. The RMS then seals a key
inside the license so that only the recipient
canaccess or use the digital file. Finally, the
RMS sends the license back to the recipient.
aid first device using said authorization
nformation to gain access to or make at least
>ne use of said first digital file, including
ising said key to decrypt at least a portion of
aid first digital file; and
The recipient's device then uses the key in the
license to gain access or decrypt a portion of
the digital file.
eceiving a first control from said
learinghouse at said first device;
The license received from the RMS at the
recipient's device contains at least one control,
such as restricting the ability to print, forward,
or edit. ■
toring said first digital file in a memory of
aid first device;
The digital file is stored in the memory of the
said recipient's device, such as in RAM, on a
hard drive, etc.
ising said first control to determine whether
aid first digital file may be copied and stored
>n a second device;
The at least one control in the license limits
copying the digital file.
Such controls are set when the digital file was
authored. For example, when the digital file is
authored, the IRM-enabled application
presented the author with a list of policy
templates with different rights levels. The
author selected an appropriate rights level
which may for instance, allow other users in the
svstem to onen and read the document, hut not
Exhibit SI
106 * ;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
to modify it, copy text from it, or forward it.
These rights or controls are then associated
with the digital file.
When an attempt is made to access the digital
file, the RMS determines the recipient's rights
based on the recipient's identity and the
policies or controls associated with the digital
file.
if said first control allows at least a portion of
said first digital file to be copied and stored on
a second device.
If the control in the license allows copying the
digital file to a second device, then at least a
portion of the digital file is copied.
copying at least a portion of said first digital
file:
such as by transferring or forwarding the digital
file in an email message:
transferring at least a portion of said first
digital file to a second device including a
memory and an audio and/or video output:
A portion of the digital file is then transferred
to a second device, such as a personal computer
or portable device. The second device includes
a memory and an audio and/or video output.
The memory may be a hard-drive, RAM, CD,
DVD, or other storage. The audio and/or video
output may be speakers and/or a video monitor.
storing said first digital file portion in said
memory of said second device: and
The digital file is stored in the second device's
memory. ]
endering said first digital file portion through
>aid output.
The digital file is rendered through the output,
such as played through the speakers and/or
displayed on the video monitor. For example, a
Word document is displayed on the screen of
the video monitor.
Exhibit Bii
107 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,253,193
Infringing products include Windows Media
Plaver. Windows Media Rights Manager SDK
19. A method comprising :
(a) receiving a digital file at a first device:
WMRM SDK. Step 3.
(b) establishing communication between said
first device and a clearinghouse located at
a location remote from said first device;
WMRM SDK, Step 6.
(c) said first device obtaining authorization
information including a key from said
clearinghouse:
WMRM SDK, Step 9. [License contains .the
key]
(d) said first device using said authorization
information to gain access to or make at
least one use of said first digital file,
including using said key to decrypt at least
a portion of said first digital file: and
WMRM SDK, Step 11.
(e) receiving a first control from said
clearinghouse at said first device:
WMRM SDK, Steps 8-9.
(f) storing said first digital file in a memory
of said first device; ;
WMRM SDK, Step 3.
(g) using said first control to determine
whether said first digital file may be
copied and stored on a second device;
At least the following WMRMRights Object
properties meet this limitation:
AllowTransferToNonSDMI,
AllowTransferToSDMl (or AllowTransfer To
WM-D-DRM-Compliant Device or other) and
TransferCount
(h) if said first control allows at least a portion
of said first digital file to be copied and
stored on a second device,
This and all subsequent claim steps occur when
the condition specified in the WMRMRights
Object property is met
(i) copying at least a portion of said first
digital file;
Transfer to the SDMI or non-SDMl (or WM-
D-DRM Compliant) portable device, if
allowed by Windows Media Rights Manager
(j) transferring at least a portion of said first
digital file to a second device including a
memory and an audio and/or video output;
Portable device necessarily includes at least a
memory and audio output
(k) storing said first digital file portion in said
memory of said second device: and
Music file is stored in the portable device
(1) rendering said first digital file portion
through said output.
Portable device plays the music
Exhibit B II
108
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,253,193
Infringing products include Windows Media
Player, Windows Media Player, Windows
Media Rights Manager SDK
51. A method comprising :
(a) receiving a digital file at a first
device;
WMRM SDK, Step 3,
(b) establishing communication
between said first device and a
clearinghouse located at a location
remote from said first device;
WMRM SDK, Step 6.
(c) said first device obtaining
authorization information from said
clearinghouse; and
WMRM SDK, Step 9,
(d) said first device using said
authorization information to gain access
to or make at least one use of said first
digital file;
WMRM SDK, Step 11.
(e) storing said first digital file in a
memory of said first device;
WMA file stored on client
(f) using at least a first control to
determine whether said first digital file
may be copied and stored on a second
device, said determination based at least
in part on (1) identification information
regarding said second device, and (2)
the functional attributes of said second
device;
If device is based on WM D-DRM, it has a
certificate that is used to identify the device as
compliant as well as the device's security
level. The security level indicates support on
the device for such attributes as an internal
clock.
(g) if, based at least in part on said
identification information, said first
control allows at least a portion of said
first digital file to be copied and stored
on a second device.
If License specifies that transfer of protected
WMA file to WM-D-DRM-Compliant device
is allowed, transfer may occur.
(h) copying at least a portion of said
first digital file;
If transfer is a licensed right as indicated in
the license, the song is copied to the device via
Windows Media Device Manager.
(i) transferring at least a portion of said
first digital file to a second device
including a memory and an audio
and/or video output;
Windows Media Device Manager transfers the
content to the device:
(j) storing said first digital file portion
in said memory of said second device;
and
WMA file is stored on device
(k) rendering said first digital file
portion through said output.
WMA file is rendered.
Exhibit B
109 ■!
•
•
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
•
mum
33.
Infringing products include all Microsoft .
tools that support the Microsoft ActiveX
licensing model, Visual Studio .NET, the
Microsoft Installer SDK, and Operating
System products that include the Microsoft
Installer technology.
A data processing arrangement comprising
at least one storing arrangement that at
least temporarily stores a first secure
container comprising first protected data
and a first set of rules governing use of said
first protected data,
The first protected data is an ActiveX
control.
The first alternative for the first secure
container is the signed .msi in which the
ActiveX developer packaged the ActiveX
cqntrol. The first set of rules is the
conditional syntax statements of the Signed
.msi file.
The second alternative for the first secure
container is the signed and licensed
ActiveX control. The first set of rules is
the license support code in the ActiveX
control.
A third alternative for the first container is
a signed cabinet file containing a (signed or
unsigned) ActiveX control with license
support code. The first set of rules is the
license support code in the ActiveX
control.
and at least temporarily stores a second
secure container comprising second
protected data different from said first
protected data and a second set of rules
governing use of said second protected
data; and
The second protected data is the application
developer's application that includes/uses
the ActiveX control. The application
developer's signed .msi file (second secure
container) contains the application (second
protected data). The second set of rules is
the signed .msi file's conditional syntax
statements that will be governed the
offer/installation of the application.
a data transfer arrangement, coupled to at
least one storing arrangement, for
transferring at least a portion of said first
protected data and a third set of rules
governing use of said portion of said first
protected data to said second secure
container.
Placing the licensed ActiveX control (first
protected information) in a signed cabinet
file (third secure container) that itself is
included in the application's signed .msi
file (second secure container). The third
set of rules is the license support code in
the ActiveX control.
further comprising I
means for creating and storing, in said at
least one storing arrangement, a third
secure container:
The ability of the application developer to
package files in signed cabinet files.
... Exhibit B
"110
i"
t
I
1
i
j
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
said data transfer arrangement further
comprising means for transferring said
portion of said first protected data and
said third set of rules to said third secure
container, and means for incorporating
said third secure container within said
second secure container; •
The third secure container is a cabinet file
signed by the application developer and
including at least the licensed ActiveX
control (first protected information. The
licensing support code in the ActiveX
control when its developer added licensing
support to the ActiveX control is the third
set of rules. •
34. A data processing arrangement as in
claim 33 further comprising means for
applying said third set of rules to govern at
least one aspect of use of said portion of
said first protected data.
Before an ActiveX control will create a
copy of itself, the calling application has to
pass a license key to the ActiveX control.
The license support code in the ActiveX
control (third rule set) evaluates the
authenticity of the calling' application's
request.
35. A data processing arrangement as in
claim 34 further comprising means for
applying said second set of rules to govern
at least one aspect of use of said portion of
said first protected data.
Windows Installer operating system service
enforces the conditional syntax statements
of the application's signed .msi file. These
statements govern the offer/installation of
the ActiveX control.
Exhibit B lj
111
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
41
Infringing products include all Microsoft ,
tools that support the Microsoft ActiveX
licensing model, Visual Studio .NET, the
Microsoft Installer SDK, and Operating
System products that include the Microsoft
Installer technology.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
A method comprising performing the
following steps within a virtual distribution
environment comprising one or more
electronic appliances and a first secure
container, said first secure container
comprising (a) a first control set, and
(b) a second secure container comprising a
second control set and first protected
information:
The signed .msi file created by the ActiveX
control developer is the first secure ,
container. The conditional syntax
statement(s) of the ActiveX control
developer's signed .msi file is/are the first
control set.
The first protected information is the
ActiveX control. 1 ...
The first alternative for the second secure
container is the signed and licensed
ActiveX control. The second control set is
the license support code in the ActiveX
control.
The second alternative for the second
secure container is a signed cabinet file
containing the (signed or unsigned)
ActiveX control. The second control set is
the license support code in the ActiveX
control.
using at least one control from said first
control set or said second control set to
govern at least one aspect of use of said
first protected information while said first
protected information is contained within
said first secure container;
The ActiveX control developer's
conditional syntax statements (first control
set) in the ActiveX developer's signed .msi
file govern the offer/installation of the
ActiveX control while it is in its signed
.msi file.
Alternately, the license support code
(second control set) in the ActiveX control
governs use of the licensed ActiveX
control.
creating a third secure container
comprising a third control set for governing
at least one aspect of use of protected
information contained within said third
secure container;
The third secure container is a signed .msi
file. The application developer packages
its application in a signed .msi file (third
secure container) and includes conditional
syntax statements (third control set) in the
signed .msi
incorporating a first portion of said first
protected information in said third secure
container, said first portion made up of
some or all of said first protected
information; and
Placing the ActiveX control into the
application developer's signed .msi file
(third secure container).
using at least one control to govern at least
The application developer's conditional
Exhibit B
112 !!
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
• •
one aspect of use of said first portion of
said first protected information while said
first portion is contained within said third
secure container.
syntax statement(s) in its signed .msi file
govern the offer/installation ActiveX
control while it is in the signed .msi file
(third secure container).
42. A method as in claim 41 v iiiwhich said
first secure container further includes a
fourth secure container comprising a fourth
control set and second protected
information and further comprising the
following step:
The second protected information is a
second ActiveX control .
The first alternative for the fourth secure
container is the signed and licensed second
ActiveX control The fourth control set is
the license support code in the ActiveX
control.
The second alternative for the fourth secure
container is a signed cabinet file containing
the (signed or unsigned) second ActiveX
control. The fourth control set is the
license support code in the ActiveX ;
control.
using at least one control from said first
control set or said fourth control set to
govern at least one aspect of use of said
second protected information while said
second protected information is contained
within said first secure container.
The ActiveX control developer's
conditional syntax statements (first control
set) in the ActiveX developer's signed .msi
file govern the offer/installation of the
second ActiveX control while it is in its
signed .msi file.
Alternately, the license support code
(second control set) in the ActiveX control
governs use of the licensed ActiveX
control.
47. A method as in claim 41, in which said
step of creating a third secure container
includes:
creating said third control set by
incorporating at least one control not found
in said first control set or said second
control set.
The application developer's conditional
syntax statements are not found in either
the first control set or the second control
set.
52. A method as in claim 41 in which said
step of creating a third secure container
occurs at a first site, and further
comprising:
copying or transferring said third secure
container from said first site to a second
site located remotely from said first site.
The application developer at first site
distributes its application to other sites.
53. A method as in claim 52 in which said
first site is associated with a content
distributor.
The application developer at the first site is
the content distributor.
54. A method as in claim 53 in which said
second site is associated with a user of
The application developer distributes the
amplication to end-users.
— — 1; .. . — ...... .
■ 1
. Exhibit B ii
: 11 3 " i:
1
2
3
.4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
content.
55. A method as in claim 54 further
comprising the following step:
said user directly or indirectly initiating
communication with said first site.
For Internet downloads, the user initiates
the communication with the first site.
64. A method as in claim 54 in which said
third control set includes one or more
controls at least in part governing the use
by said user of at least a portion of said
first portion of said first protected
information.
The application developer's conditional
syntax statements (third control' set) govern
the installation of the ActiveX control (first
protected information).
76. A method as in claim 41 in which said
creation of said third secure container
further comprises using a template which
specifies one or more of the controls
contained in said third control set.
The third secure container is the application
developer's signed .msi file and the third
control set is the conditional syntax
statements in that file.
Microsoft supplies several template .msi
databases for use in authoring installation
packages. The UlSarnple.msi is the
template recommended in the "An
Installation Example" on MSDN. This
template msi files contains several default
conditional syntax statements. At least two
of these conditional syntax statements
directly govern the installation by blocking
progress until the EULA is accepted.
78. A method as in claim 52 in which said
creation of said third secure container
further comprises using a template which
specifies one or more of the controls
contained in said third control set.
The third secure container is the application
developer's signed .msi file and the third
control set is the conditional syntax
statements in that file.
Microsoft supplies several template .msi
databases for use in authoring installation
packages. The UlSarnple.msi is the
template recommended in the "An
Installation Example" on MSDN. This
template msi files contains several default
conditional syntax statements. At least two
of these conditional syntax statements
directly govern the installation by blocking
progress until the EULA is accepted.
Exhibit B ij
114
•
•
1
1
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
2
3
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
.4
5
6
81.
Infringing products include all Microsoft ,
tools that support the Microsoft ActiveX
licensing model, Visual Studio .NET, the
Microsoft Installer SDK, and Operating •
System products that include the Microsoft
UlbulJJCr ICUillJUJU^V.
A data processing arrangement comprising:
7
8
9
10
a first secure container comprising first
protected information and a first rule set
governing use of said first protected
information;
-
The first alternative for the first secure
container is the ActiveX control
developer's signed .msi file containing a
licensed- ActiveX control (the first .
protected information). The conditional
syntax statements of the signed .msi file are
the first rule set. .
11
12
13
The second alternative for the first secure
container is the signed cabinet file
containing the ActiveX control. The
license support code in the ActiveX control
is the first rule set.
14
15
The third alternative for the first secure
container is the licensed and signed
ActiveX control governed by license
support code in the ActiveX control.
16
17
18
a second secure container comprising a
second rule set;
The second secure container is the signed
.msi file which the application developer
package its application. The second rule
set is the conditional syntax statements of
the application developer's signed .msi file.
19
means for creating and storing a third
secure container; and
The third container is a signed cabinet file
containing at least the ActiveX control.
20
21
22
means for copying or transferring at least a
portion of said first protected information
and a third rule set governing use of said
portion of said first protected information
to said second secure container, said means
for copying or transferring comprising:
Putting the licensed ActiveX control (first
protected information) in a signed cabinet
file (third secure container). The licensing
support code in the ActiveX control is third
rule set.
23
means for incorporating said third
secure container within said second
secure container.
Packaging the signed cabinet file in the
signed .msi file.
24
25
82. A data processing arrangement as in
claim 81 further comprising:
26
27
means for applying at least one rule from
said third rule set to at least in part govern
at least one factor related to use of said
portion of said first protected information.
The third rule set ensures the user is
licensed.
28
83. A data processing arrangement as in
claim 82 further comprising:
Exhibit B ;
115
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
means for applying at least one rule from The second rule set governs the
said second rule set to at least in part offer/installation of first protected
govern at least one factor related to use of information,
said portion of said first protected
information.
Exhibit B ii
116
1
2
3
. 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
85.
Infringing products include all Microsoft
tools that support the Microsoft ActiveX .
licensing model, Visual Studio .NET-, the
Microsoft Installer SDK, and Operating
System products that include the Microsoft
Installer technology.
A method comprising the following steps:
creating a first secure container comprising
a first rule set and first protected
information;
The first protected information is the
ActiveX control. • ,
The first alternative for the first secure
container is the signed and licensed
ActiveX control. The first rale set is the
license support code in the ActiveX 1 '
control.
The second alternative for the first secure
container is an (signed or unsigned)
ActiveX control with license support
contained within a signed cabinet file. The
first rule set is the ActiveX license support
code.
storing said first secure container in a first
memory:
The first secure container is stored at the
ActiveX control developer s location.
creating a second secure container
comprising a second rule set; .
The second secure container is the
application developer's signed .msi file.
The conditional syntax statements of the
signed .msi file are the second rule set.
storing said second secure container in a
second memory:
The second secure container is stored at the
application developer's location.
copying or transferring at least a first
portion of said first protected information
to said second secure container, said
copying or transferring step comprising
The ActiveX control developer packages
the control in a signed .msi file for
distribution to the application developer's
site.
creating a third secure container
comprising a third rule set;
The third secure container is the ActiveX
control developer's signed .msi file
containing a licensed ActiveX control. The
conditional syntax statements of the signed
.msi file are the third rule set.
copying said first portion of said
first protected information;
in preparation lor ubing a mbi du muring
tool, such as Microsoft's Orca, copying the
ActiveX control to a package staging area.
transferring said copied first portion
of said first protected information to
said third secure container: and
Using msi authoring tool to import the
control into the signed .msi file.
copying or transferring said copied
first portion of said first protected
information from said third secure
container to said second secure
container.
The application developer installs the
ActiveX control, which involves removing
it from the ActiveX developer's signed
.msi file and installing it into its
environment. Subsequently, the
EjchibitB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
application developer places the ActiveX
control into its signed .msi file when it is
packaging its application.
87. A method as in claim 85 in which said
copied first portion of said first protected
information consists ofthe entirety of said
first protected information. »
The entire ActiveX control is copied.
89. A method as in claim 85 in which
said first memory is located at a first site,
The first memory is located at the ActiveX
control developer's site.
said second memory is located at a second
site remote from said first site, and
The second memory is located at the
application developer's site.
said step of copying or transferring said
first portion of said first protected
information to said second secure container
further comprises copying or transferring
said third secure container from said first
site to said second site.
The ActiveX control developer's signed
.msi file is transferred from its site to the
site of the application developer.
Exhibit B
118
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
IS
19
20
21
22
23
24
25
26
27
28
• •
JNTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR IT <s PATFNT NO 5 915 019
85. (alternate infringing scenario)
Infringing products include all Microsoft
tools that support the Microsoft ActiveX
licensing model, Visual Studio .NET, the.
Microsoft Installer SDK, and Operating
System products that include the Microsoft
Installer technology.
A method comprising the following steps:
creating a first secure container comprising
a first rule set and first protected
information;
The first protected information is the
ActiveX control.
The first alternative for the first secure
container is the signed and licensed
ActiveX control. The first rule set is the
license support code in the ActiveX '
control.
The second alternative for the first secure
container is a (signed or unsigned) ActiveX
controj wnn license support contained
within a signed cabinet file. The first rule
sex wouju remain me AwiiveA licence
support code.
The third alternative for the first secure
rnntflinpr a ^iotipH m^i fil^ in which trip
IrUlJluiiJWl lo Ct Olf^lllrVA llJOi 1.11V 111 VViiivll U1V
ActiveX control developer packaged its
ActiveX control The first rule set is the
conditional syntax statement(s) of the
signed msi file.
storing said first secure container in a first
The first secure container is stored at the
ActiveX control developer's location.
creating a second secure container
comprising a second rule set;
The second secure container is the
application developer's signed .msi file.
The conditional syntax statements of the
siened .msi file are the second rule set.
<;lnrinf> <^aid second secure container in a
second memory:
The second secure container is stored at the
application developer's location.
copying or transferring at least a first
portion of said first protected information
to said second secure container, said
copying or transferrins step comprising:
The ActiveX control is placed in a cabinet
file signed by the application developer and
the signed cabinet file is placed in a .msi
file siened bv the application developer.
creating a third secure container
comprising a third rule set;
The third secure container is signed cabinet
file in which the application developer
placed licensed ActiveX. The third rule set
is the license support code in the ActiveX
control.
copying said first portion of said
first protected information;
Copying ActiveX control.
transferring said copied first portion
of said first protected information to
Transferring ActiveX control to signed
cabinet file.
. , . i i
Exhibit B!j
"119
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
said third secure container: and
copying or transferring said copied
first portion of said first protected
information from said third secure
container to said second secure
container.
The application developer places the signed
cabinet file into its signed .msi file when it
is packaging its application.
87. A method as in claim 85 in which said
copied first portion of said first protected
information consists of the entirety of said
first protected information.
The entire ActiveX control is copied.
93. A method as in claim 85 in which
said step of copying transferring said
copied first portion of said first protected
information from said third secure
container to said second secure container
further comprises storing said third secure
container in said second secure container.
The ActiveX control is placed in a cabinet
file signed by the application developer arid
the signed cabinet file is placed in a .msi
file signed by the application developer.
I;
. . Exhibit B l!
120
•
•
1
2
3
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
4
5
6
1. • . ,
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
;NET, the Microsoft Installer SDK, and. ■
products that include the Microsoft .NET
f^T U onH tKp \4irrncn"ft Tnctnllpr
V^JL<I\., dUU Uic jvjjvlvoUll liioLdUwl
technology/
7
8
9
10
11
A method of operating on a first secure
container arrangement having a first set of
controls associated therewith, said first
secure container arrangement at least in
part comprising a first protected content
file, said method comprising the following
steps performed within a virtual
distribution environment including at least
one electronic appliance:
The first protected content is a signed and
licensed .NET component used by.the
.NET assembly. The .NET assembly is
distributed with a signed and governed .msi
file. . The second protected content is
anotner signed ana licensed .jnci
component that is used by the .NET
assembly.
12
13
14
using at least one control associated with
said first secure container arrangement for
governing, at least in part, at least one
aspect of use of said first protected content
file while said first protected content file is
contained in said first secure container
arrangement;
The first protected content is signed and
licensed .NET component (first secure
container) contained within the .NET
assembly. The one control is a declarative
statement(s) within the assembly's header.
15
16
17
18
19
creating a second secure container
arrangement having a second set of
controls associated therewith, said second
set of controls governing, at least in part, at
least one aspect of use of any protected
content file contained within said second
secure container arrangement;
The protected content is the same as the
first protected content plus the additional
implementation information included in the
signed .msi file. The second secure
container is the signed .msi file created for
the .NET assembly. The signed .msi file's
conditional syntax statements are the
second set of controls that control the
offer/installation of the .NET assembly.
20
21
22
23
iransiemng at jeasi a pom on oi saiu nrsi
protected content file to said second secure
container arrangement, said portion made
up of at least some of said first protected
content file; and
HTh*» pniir^ TsJPT n^cpmHIv inrliiflpH in
1 iJC CJllllv .l^lJ— *i aoOClllUl Y lO iJiVsJ UvlWU 111
the signed .msi file.
Packaging the .NET assembly in the signed
.msi file involves the following process
steps. In preparation for using a msi
authoring tool, such as Microsoft's Orca,
copying the .NET component to a package
staging area. Using msi authoring tool to
import the .NET component into the signed
.msi file.
25
26
97
using at least one rule to govern at least one
aspect of use of said first protected content
file portion while said portion is contained
within said second secure container
arrangement:
The conditional syntax statement(s) of the
signed .msi file (second secure container)
control(s) the offer/installation of the .NET
assembly.
in which
said first secure container arrangement
comnrises a third secure container
The first alternative for the third secure
container is a licensed and siened .NET
. .™.t .
121
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
arrangement comprising a third set of
controls and said first protected content
file, and
component governed by the set of
declarative statements comprising the
LicenseProviderAttribute (third set of
controls).
The second alternative for the third secure '
container is a .NET component whose hash
is included in the header of the .NET
assembly. The set of declarative
statements comprising the
LicenseProviderAttribute is the third set of
controls.
said first secure container arrangement
further comprises a fourth secure container
arrangement comprising a fourth set of
controls and a second protected content
file.
The first alternative for the fourth secure
container is another licensed and signed
.NET component governed by the set of
declarative- statements comprising the
LicenseProviderAttribute (fourth set of
controls).
i
The second alternative for the fourth secure
container is the container created when the
hash of the .NET component is included in
the header information of the .NET
assembly. The set of declarative
statements comprising the
LicenseProviderAttribute is the fourth set
of controls.
Exhibit B;|
'122 '
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
33.
A data processing arrangement comprising
at least one storing arrangement that at
least temporarily stores a first secure
container comprising first protected data
and a first set of rules governing use of said
first protected data,
293482.02
and at least temporarily stores a second
secure container comprising second
protected data different from said first
protected data and a second set of rules
governing use of said second protected
data; and
a data transfer arrangement, coupled to at
least one storing arrangement, for
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
.NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
The first protected information is the .NET
component.
The first alternate for the first secure
container is the signed .msi file in which
the .NET component developer packaged
its .NET component. The first set of rules
is the conditional syntax statements of the
signed .msi file.
The second alternative for the first secure
container is a licensed and signed .NET
component governed by the set of
declarative statements comprising the
LicenseProviderAttribute of the .NET
component (first set of controls).
The third alternative for the first container
is a signed cabinet file containing a (signed
or unsigned) .NET component with license
support. The first set of controls is the set
of declarative statements comprising the
LicenseProviderAttribute of the .NET
component.
The second protected data is the .NET
assembly developer's assembly that
includes/uses the .NET component.
The first alternative for the second secure
container is a signed .msi file in which the
.NET assembly developer packaged its
multi-file assembly (second protected
data). The second set of rules is the
conditional syntax statements of the signed
.msi file that governs the offer/installation
of the .NET assembly.
The second alternative for the second
secure container is a signed .NET
assembly. The second set of rules is the
declarative rules within the assembly's
header.
The third secure container is a signed .NET
assembly governed by declarative rules in
Exhibit Bi!
123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
transferring at least a portion of said first
protected data and a third set of rules
governing use of said portion of said first
protected data to said second secure
container,
further comprising
means for creating and storing, in said at
least one storing arrangement, a third
secure container:
said data transfer arrangement further
comprising means for transferring said
portion of said first protected data and
said third set of rules to said third secure
container, and means for incorporating
said third secure container within said
second secure container.
its header (third set of rules). An
alternative third rule set is the set of
declarative statements comprising the
LicenseProvider Attribute. The .NET
assembly includes the .NET component. ,
The secure .NET assembly is included in a
signed .msi file (second secure container).
An alternative third secure container is the
container created by hashing the .NET
component and including the hash in the
header information of a .NET assembly.
The .NET component is included in the
signed and governed .NET assembly
(second secure container). The third set of
rules is the set of declarative statements
comprising the LicenseProviderAttribute.
An alternative third secure container is a
signed cabinet file containing the .NET
component and which is destined for a
signed .msi file (second secure container).
The third set of rules is the set of
declarative statements comprising the
LicenseProviderAttribute.
The first alternative for the third secure
container is a signed .NET assembly. In
this case, the second secure container is the
signed .msi file.
The second alternative for the third
container is the container created by
including a hash of the .NET component in
the header information of a .NET assembly.
In this case, the second secure container is
either the signed .msi file or the signed
.NET assembly.
The third alternative for the third container
is a cabinet file signed by the .NET
assembly developer containing the .NET
assembly and/or the .NET component. In
this case the signed .msi file is the second
secure container.
The first alternative for the third secure
container is the signed .NET assembly,
which includes and/or uses the licensed
.NET component (first protected
information). The third set of rules is a
declarative rule within the .NET
assembly's header. The .NET assembly is
placed in a signed .msi file (second secure
container).
Exhibit B Lj
124
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
The second alternative for the third secure
container is the container that results when
the hash of the .NET component is added
to the .NET assembly header information.
The third set of rules is the set of
declarative statements comprising the
LicenseProviderAttribute added to the
assembly.
The third alternative for the third secure
container is a cabinet file signed by the
.NET assembly developer containing the
.NET assembly and/or the .NET ^ '
component The third set of rules is a
declarative rule(s) within the .NET
assembly's header and/or the set of
declarative statements comprising the
LicenseProviderAttribute added to the .
assembly
34. A data processing arrangement as in
claim 33 further comprising means for
applying said third set of rules to govern at
least one aspect of use of said portion of
said first protected data.
When the third rule set is the declarative
statement(s) of the assembly header, the
runtime CLR enforces the statements.
When the third set of rules is the set of
declarative statements comprising the
LicenseProviderAttribute added to the
assembly, the license support code in the
.NET component evaluates the authenticity
of the calling assembly's request.
35. A data processing arrangement as in
claim 34 further comprising means for
applying said second set of rules to govern
at least one aspect of use of said portion of
said first protected data.
When the second set of rules is the
conditional syntax statements of the signed
.msi file, the Windows Installer operating
system service enforces the conditional
syntax statements of.NET assembly's
signed .msi file, which govern the
offer/installation of the .NET component.
When the second set of rules is the
declarative statement(s) within the
assembly's header, the runtime CLR
enforces the statements.
Exhibit B !
125
]
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
41.
A method comprising performing the
following steps within a virtual distribution
environment comprising one or more
electronic appliances and a first secure
container, said first secure container
comprising (a) a first control set, and
(b) a second secure container comprising a
second control set and first protected
information:
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
.NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
using at least one control from said first
control set or said second control set to
govern at least one aspect of use of said
first protected information while said first
protected information is contained within
said first secure container;
creating a third secure container
comprising a third control set for governing
at least one aspect of use of protected
information contained within said third
secure container:
The signed .msi file created by the .NET
component developer is the first secure
container. The first conditional syntax
statement(s) of the .NET component
developer's signed .msi file is/are the first
control set.
The first protected information is the .NET
component.
The first alternative for the second secure
container is the signed and licensed .NET
component. The second control set is the
set of declarative statements comprising the
LicenseProviderAttribute.
The second alternative for the second
secure container is a signed cabinet file.
The second control set remains the set of
declarative statements comprising the
LicenseProviderAttribute.
The .NET component developer's
conditional syntax statements (first control
set) in its signed .msi file governs the
offer/installation of the .NET component
while it is in the signed .msi file.
Alternately, the set of declarative
statements comprising the
LicenseProviderAttribute (second control
set) of the licensed .NET component
governs use of the .NET component.
The first alternative for the third secure
container is a signed .NET assembly, the
protected information is the .NET
component and the third control set is the
declarative statement(s) within the .NET
assembly's header.
The second alternative for the third secure
container is a signed .msi file in which the
.NET assembly developer packages its
.NET assembly and the third control set is
the conditional syntax statement(s) in the
signed :msi file. •
Exhibit B
" 126 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
• •
incorporating a first portion of said first
protected information in said third secure
container, said first portion made up of
some or all of said first protected
information; and
In the first alternative, placing the .NET
component into the signed .NET assembly.
In the second alternative, placing the .NET
component into the. Net assembly
developer's siened msi file.
using at least one control to gpvern at least
one aspect of use of said first portion of
said first protected information while said
first portion is contained within said third
secure container.
In the first alternative, the .NET assembly
developer's declarative statement(s) within
the .NET assembly's header govern(s) the
use of the .NET component while it is in
the signed .NET assembly.
In the second alternative, the conditional
syntax statements of the .NET assembly
developer's signed .msi file govern the
offer/installation of the NET component
while it is in the siened .msi file.
42. A method as in claim 41, in which said
first secure container further includes a
fourth secure container comprising a fourth
control set and second protected
miormation ana runner comprising me
following step:
The second protected information is /a
second .NET component.
The first alternative for the fourth secure
IsUiHallJCI lO LJ1C OJ^iJCU UllKl Ul/C/lldwU OC^UJJU
.NET component. The fourth control set is
the set of declarative statements comprising
the LicenseProviderAttribute of the second
.NET component.
The second alternative for the fourth secure
container is a second signed cabinet file.
The fourth control set is the set of
declarative statements comprising the
LicenseProviderAttribute.
using at least one control from said first
control set or said fourth control set to
govern at least one aspect of use of said
second protected information while said
second protected information is contained
within said first secure container.
The .NET component developer's
conditional syntax statements (first .control
set) in its signed .msi file governs the
offer/installation of the second .NET *
component while it is in the signed .msi
file.
Alternately, the set of declarative
statements comprising the
LicenseProviderAttribute (fourth control
set) of the licensed second .NET
component governs use of the second .NET
component.
47. A method as in claim 41, in which said
step of creating a third secure container
includes:
creating said third control set by
incorporating at least one control not found
in said first control set or said second
control set.
The .NET assembly developer's declarative
statements (first alternative for third control
set) and/or the developer's conditional
syntax statements (second alternative for
the third control set) are not found in either
Exhibit Bsi
127
1
2
3
4
5
6
7.
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1 * #
the first control set or the second control
set. .
52. A method as in claim 41 in which said
step of creating a third secure container
occurs at a first site, and further
comprising:
copying or transferring said third.secure
container from said first site to a second
site located remotely from said first site.
The .NET assembly developer at first site -
distributes its assembly to other sites.
53. A method as in claim 52 in which said
first site is associated with a content
distributor.
The .NET assembly developer's business
module is used to create and distribute its
assembly.
54. A method as in claim 53 in which said
second site is associated with a user of
content.
The .NET assembly developer distributes
the assembly to end-users.
55. A method as in claim 54 further
comprising the following step:
said user directly or indirectly initiating
communication with said first site.
For Internet downloads, the user initiates
the communication with the first site.
64. A method as in claim 54 in which said
third control set includes one or more
controls at least in part governing the use
by said user of at least a portion of said
first portion of said first protected
information.
When the third control set is the .NET
assembly developer's declarative
statement(s) within the .NET assembly's
header, it governs the user's use of the
.NET component (first protected
information).
When the third control set is the .NET
assembly developer's conditional syntax
statements of the .NET assembly
developer's signed .msi file, it governs the
user's offer acceptance/installation of the
.NET component (first protected
information).
76. A method as in claim 41 in which said
creation of said third secure container
further comprises using a template which
specifies one or more of the controls
contained in said third control set.
When the third secure container is the
.NET assembly developer's signed .msi file
and the third control set is the conditional
syntax statements in that file.
Microsoft supplies several template .msi
databases for use in authoring installation
packages. The UlSample.msi is the
template recommended in the "An
Installation Example" on MSDN. This
template msi files contains several default
conditional syntax statements. At least two
of these conditional syntax statements
directly govern the installation by blocking
Droeress until the EULA is accented.
;i
!•■
t»
. . Exhibit B II
128
1
2
3
4.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
78. A method as in claim 52 in which said
creation of said third secure container
further comprises using a template which
specifies one or more of the controls
contained in said third control set.
When the third secure container is the
.NET assembly developer's signed .msi file
and the third control set is the conditional
syntax statements in that file.
Microsoft supplies several template .msi
databases for use in authoring installation
packages. The LJISample.msi is the
template recommended in the "An
Installation Example" on MSDN. This
template msi files contains several default
conditional syntax statements. At least two
of these conditional syntax statements
directly govern the installation by blocking
progress until the EULA is accepted.
ii
.Exhibit Bp,
129 "'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
81.
A data processing arrangement comprising:
a first secure container comprising first
protected information and a first rule set
governing use of said first protected
information;
a second secure container comprising a
second rule set;
means for creating and storing a third
secure container; and
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
.NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
The first protected information is the .NET
component.
The first alternative for the first secure
container is the signed .msi file in which
the .NET component developer packaged
its assembly. The first rule set is the
conditional syntax statements written by
the .NET component developer and placed
into the signed .msi file.
The second alternative for the first secure
container is the signed cabinet file
containing the (signed or unsigned) .NET
component. The set of declarative
statements comprising the
LicenseProviderAttribute when its
developer added licensing support to the
assembly is the first rule set.
The third alternative for the first secure
container is the licensed and signed .NET
component governed by the set of
declarative statements comprising the
LicenseProviderAttribute (first rule set)
added by the .NET component developer. -
The first alternative for the second secure
container is the signed .msi file in which
the .NET assembly developer packaged its
.NET assembly. The second rule set is the
conditional syntax statements written by
the .NET assembly developer and placed
into the signed .msi file.
The second alternative for the second
secure container is the signed .NET
assembly. The second rule set is the
declarative statements in the .NET
assembly's header.
When the second secure container is the
signed msi file, the third secure container is
the signed .NET assembly.
When the second secure container is the
Exhibit B;i
130 ■
3
• 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
1 • •
signed .NET assembly, the third secure
container a .NET component secured by .
placing it in a signed cabinet file or by
including its hash in the header of the
assembly.
means for copying or transferring at least a
portion of said first protected; information
and a third rule set governing ;use of said
portion of said first protected information
to said second secure container, said means
for copying or transferring comprising:
When the second secure container is the
signed msi file and the third secure
container is the signed .NET assembly, the
third rule set is the set of declarative * •
statements within the assembly's header.
When, the second secure container is the
signed .NET assembly, the third rule set is
the set of declarative statements comprising
the LicenseProviderAttribute (third rule
set) added to the .NET component by its
developer.
means for incorporating said third
secure container within said second
secure container.
When the second secure container is the
signed msi file and the third secure .
container is the signed .NET assembly, the
assembly is placed in the signed .msi file.
When the second secure container is the
signed .NET assembly and the third secure
container is a .NET component contained
in a signed cabinet file or a .NET
component whose hash is included in the
header of the assembly, the third secure
container is incorporated within the .NET
assemblv.
82. A data processing arrangement as in
claim 81 further comprising:
means for applying at least one rule from
said third rule set to at least in part govern
at least one factor related to use of said
portion of said first protected information.
When the third rule set is declarative
statements within the assembly's header, it
governs the use of the .NET assembly
which includes the first protected
information.
When the third rule set is the set of
declarative statements comprising the
LicenseProviderAttribute added by the
.NET component by its developer, it
ensures the user is licensed.
83. A data processing arrangement as in
claim 82 further comprising:
means for applying at least one rule from
said second rule set to at least in part
govern at least one factor related to use of
said portion of said first protected
information.
When the second rule set is the conditional
syntax statements written by the .NET
assembly developer and placed into the
signed .msi file, it governs the
offer/installation of the .NET component.
When the second rule set is the declarative
statements in the .NET assembly's header.
Exhibit B!
1 131 :i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
it governs the use of the .NET assembly,
which includes the first protected
information.
. -II
Exhibit Bij
132
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
85. A method comprising the following
steps:
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
.NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
creating a first secure container comprising
a first rule set and first protected
information;
The first protected information is the .NET
component.
The* first secure container is a sijgned .NET
component (first protected information)
governed by the set of declarative
statements comprising the
LicenseProviderAttribute (first rule set).
The second alternative for the first secure
container is a cabinet file signed by the
.NET component developer containing a
(signed or unsigned) .NET component with
license support. The first rule set is the set
of declarative statements comprising the
. LicenseProviderAttribute.
storing said first secure container in a first
memory:
The first secure container is stored at the
.NET component developer's location.
creating a second secure container
comprising a second rule set;
The first alternative for the second secure
container is a signed .NET assembly and
the second rule set is declarative
statement(s) within the assembly's header.
The second alternative for the second
secure container is the signed .msi file in
which the .NET assembly developer
packages its (signed or unsigned)
assembly. The second rule set is the
conditional syntax statement(s) written by
the .NET assembly developer and placed
into the signed .msi file.
storing said second secure container in a
second memory;
The second secure container is stored at the
.NET assembly developer's location.
copying or transferring at least a first
portion of said first protected information
to said second secure container, said
copying or transferring step comprising:
The .NET component developer packages
its module in a signed .msi file for
distribution to the .NET assembly
developer's site.
creating a third secure container
comprising a third rule set;
The third secure container is the signed
.msi file in which the .NET component
developer packaged its .NET component.
The third control set is the conditional
syntax statements written by the .NET
component developer and placed into the
signed .msi file.
copying said first portion of said
In preparation for using a msi authoring
Exhibit Q!
133 ■
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*9
20
21
22
23
24
25
26
27
28
first protected information;
tool, such as Microsoft's Orca, copying the
.NET component to a package staging area.
transferring said copied first portion
of said first protected information to
said third secure container; and
Using the msi authoring tool to import the
.NET component into the signed .msi file.
copying or transferring said copied
first portioriof said first protected
information from said third secure
container to said second secure
container.
The .NET assembly developer installs the
.NET component, which involves
removing it from the .NET component *
developer's signed .msi file and installing it
into its environment. Subsequently, the
.NET assembly developer places the .NET
component into its .NET assembly and/or
signed .msi file when it is packaging its .
.NET assembly.
87. A method as in claim 85 in which said
copied first portion of said first protected
information consists of the entirety of said
first protecied information.
The entire .NET component is copied.
89. A method as in claim 85 in which
said first memory is located at a first site,
The first memory is located at the .NET
component developer's site.
said second memory is located at a second
site remote from said first site, and
The second memory is located at the .NET
assembly developer's site.
said step of copying or transferring said
first portion of said first protected
information to said second secure container
further comprises copying or transferring
said third secure container from said first
site to said second site.
The .NET component developer's signed
.msi file is transferred from its site to the
site of the .NET assembly developer.
94. A method as in claim 85 further
comprising:
creating a fourth rule set.
When the second secure container is not a
signed .NET assembly, the fourth rule set is
declarative statements within the
assembly's header.
When the second secure container is not
the signed .msi file in which the .NET
assembly developer packages its (signed or
unsigned) assembly, the fourth rule set is
the conditional syntax statements written
by the .NET assembly developer and
placed into the signed .msi file.
!'
Exhibit Bii
134 '
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24.
25
26
27
28
293482.02
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
85 (alternate infring in g scenario)
A method comprising the following steps:
creating a first secure container comprising
a first rule set and first protected
information;
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
.NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
storing said first secure container in a first
memory;
creating a second secure container
comprising a second rule set;
The first protected information is the .NET
component.
The first alternative for the first secure
container is the signed and licensed .NET
component. The first rule set is the set of
declarative statements comprising the
LicenseProviderAttribute in the .NET
component.
The second alternative for the first secure
container is a (signed or unsigned) .NET
component with license support contained
within a cabinet file signed by the .NET
component developer. The first rule set is
the set of declarative statements comprising
the LicenseProviderAttribute in the .NET
component.
The third alternative for the first secure
container is the signed .msi file in which
the .NET component developer packaged
its assembly. The first rule set is the
conditional syntax statements written by
the .NET component developer and placed
into the signed .msi file.
The first secure container is stored at the
.NET component developer's location.
storing said second secure container in a
second memory;
The first alternative for the second secure
container is a signed .NET assembly and
the second rule set is declarative
statement(s) within the assembly's header.
The second alternative for the second
secure container is the signed .msi file in
which the .NET assembly developer
packages its (signed or unsigned)
assembly. The second rule set is the
conditional syntax statement(s) written by
the .NET assembly developer and placed
into the signed .msi file.
copying or transferring at least a first
The second secure container is stored at the
.NET assembly developer's location.
The .NET assembly developer places the
Exhibit Bii
135
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293462.02
• •
portion of said first protected information
to said second secure container, said
copying or transferring step comprising:
.NET component into the third secure
container, which is either a signed cabinet
file or a signed .NET assembly.
creating a third secure container
comprising a third rule set;
When the second secure container is the
signed .msi file, the third secure container,
is the signed .NET assembly. The third
rule set is the declarative statement(s) in
the .NET assembly's header. . ,
When the second secure container is either
a .NET assembly or the signed .msi file, the
third secure container is a signed cabinet
file in which the .NET assembly developer
placed licensed .NET component. The
third rule set is the set of declarative
statements comprising the
LicenseProviderAttribute in the .NET
component.
copying said first portion of said
first protected information;
Copying the .NET component to either the
.NET assembly or to the signed cabinet
file.
transferring said copied first portion
of said first protected information to
said third secure container; and
Transferring the .NET component to either
the .NET assembly or the signed cabinet
file.
copying or transferring said copied
first portion of said first protected
information from said third secure
container to said second secure
container.
When the second secure container is the
signed .msi file and the third secure
container is the signed .NET assembly, the
.NET assembly is placed into the signed
.msi file.
When the second secure container is either
the .NET assembly or the signed .msi file
and the third secure container is the signed
cabinet file, the signed cabinet file is placed
into either the .NET assembly or the signed
.msi file.
87. A method as in claim 85 in which said
copied first portion of said first protected
information consists of the entirety of said
first protected information.
The entire .NET component is copied.
93. A method as in claim 85 in which
said step of copying transferring said
copied first portion of said first protected
information from said third secure
container to said second secure container
further comprises storing said third secure
container in said second secure container.
When the third secure container is the
signed .NET assembly, it is placed in the
signed .msi file.
When the third secure container is a signed
cabinet file, it can be placed in either the
.NET assembly and/or the siened .msi file.
94. A method as in claim 85 furthei
comprising
creating a fourth rule set.
When the second rule set is declarative
statements within the assembly's header.
1 1
' !!
..... Exhibit B ; |
"136 !
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17.
18
19
20
21
22
23
24
25
26
27
28
the fourth rule set is the conditional syntax
statement(s) written by the .NET assembly
developer arid placed into the signed .msi
When the second rule set is the conditional
syntax statement(s) written by the .NET
assembly developer and placed into the
signed .msi file, the fourth rule set is
declarative statement(s) within the
assembly's header or the set of declarative
statements comprising the
LicenseProviderAttribute in the .NET
component. ±
If the fourth rule set is the conditional
syntax statements of the .NET assembly
developer's signed .msi file, it governs the
offer/installation of the .NET component.
file.
95. A method as in claim 94 further
comprising:
using said fourth rule set to govern at least
one aspect of use of said copied first
portion of said first protected information.
If the fourth rule set is the .NET assembly
developer's declarative statement(s) within
the .NET assembly's header, it governs the
use of the .NET component.
i !
i!
. Exhibit #
137
2
3
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUS T TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
85 (second alternate scenario for .NET)
method comprising the following step s:
creating a first secure container comprising
a first rule set and first protected
information;
Infringing products include the .NET
Framework SDK, Microsoft Visual Studio
•NET, the Microsoft Installer SDK, and
products that include the Microsoft .NET
CLR, and the Microsoft Installer
technology.
293482.02
The first protected information is a .NET
component.
The first alternative for the first secure
container is the signed and licensed .NET
component. The first rule set is the set of
declarative statements comprising the
LicenseProviderAttribute in the .NET
component.
The second alternative for the first secure
container is a (signed or unsigned) .NET
component with license support contained
within a cabinet file signed by the .NET
assembly developer. The first rule set is
the set of declarative statements comprising
the LicenseProviderAttribute in the .NET
component.
The third alternative for the first secure
container is a .NET component whose hash
is included in the assembly header of a
.NET assembly. The first rule set is the set
of declarative statements comprising the
LicenseProviderAttribute in the .NET
component.
I storing said first secure container in a first
memorv:
The first secure container is stored at the
.NET assembly developer's location.
j creating a second secure container
comprising a second rule set;
The second secure container is the signed
.msi file in which the .NET assembly
developer packages its signed assembly.
The second rule set is the conditional
syntax statement(s) written by the .NET
assembly developer and placed into the
signed .msi file.
storing said second secure container in a
second memorv:
The second secure container is stored at the
.NET assembly developer's location.
copying or transferring at least a first
portion of said first protected information
to said second secure container, said j
copying or Transferring step comprising;
The .NET assembly developer places the
.NET component into the third secure
container, which is the signed .NET
assembiv.
creating a third secure container
comprising a third rule set:
The third secure container is a signed .NET
assembiv and the third rule set is
Exhibit B II
138
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
declarative statement(s) within the
assembly's header.
copying said first portion of said
first protected information:
Copying the .NET component to the .NET
assembly.
transferring said copied first portion
of said first protected information to
said third secure container; and
Transferring the .NET component to the
.NET assembly.
copying or transferring said copied
first portion of said first protected
information from said third secure
container to said second secure
container.
When the second secure container is the
signed .msi file and the third secure
container is the signed .NET assembly, the'
.NET assembly is placed into the signed
.msi file. ■
87. A method as in claim 85 in which said
copied first portion of said first protected
information consists of the entirety of said
first protected information.
The entire .NET component is copied.
90. A method as in claim 85 in which
said first memory and said second memory
are located at the same site.
First and second memory is at the .NET
assembly developer's location.
93. A method as in claim 85 in which
said step of copying transferring said
copied first portion of said first protected
information from said third secure
container to said second secure container
further comprises storing said third secure
container in said second secure container.
When the third secure container is the
signed .NET assembly, it is placed in the
signed .msi file.
ti
Exhibit B:l
139 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,915,019
96. A method comprising performing the
following steps within a virtual distribution
environment comprising one drmore
electronic appliances and a first .secure
container, said first secure container
comprising a first control set and first
protected information:
A signed and licensed .NET component ( ,
(first container) is part of a .NET assembly
(second container), which is packaged in a
signed .msi file (third container).
using at least one control from said first
control set to govern at least one aspect of
use of said first protected information
while said first protected information is
contained within said first secure container;
The first secure container is a licensed and
signed .NET component governed by thfe
set of declarative statements comprising the
LicenseProviderAttribute (one control).
creating a second secure container
comprising a second control set for
governing at least one aspect of use of
protected information contained within said
second secure container;
The second secure container is a .NET
assembly, the protected information is the
assembly and the second control set- is
declarative statement(s) within the
assembly's header.
incorporating a first portion of said first
protected information in said second secure
container, said first portion made up of
some or all of said first protected
information;
Included in the .NET assembly is the .NET
component.
using at least one control to govern at least
one aspect of use of said first portion of
said first protected information while said
first portion is contained within said second
secure container; and
The declarative statement(s) govern the use
of the -NET component and the custom
LicenseProvider class (first control set)
controls the .NET component.
incorporating said second secure container
containing said first portion of said first
protected information within a third secure
container comprising a third control set.
The third secure container is the signed
.msi file in which the .NET assembly
developer packages its assembly. The third
control set is the conditional syntax
statements written by the assembly
developer and placed into the signed .msi
file,
ii
. jj
Exhibit B jj
140
1
2
3
4.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRVST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 5,949,876
A system for supporting electronic
Infringement is based on Microsoft's Visual Studio
.NET and/or the .NET Framework licensing tools (in
the.NET Framework SDK) and/or Microsoft Installer
SDK..
commerce including:
means for creating a first secure control
set at a first location;
The first location is a .NET component developer's
site. • ■:
The first secure control set is the set of declarative
statements comprising the LicenseProvider 'Attribute of
a first .NET licensed component that provides for a
design-time license to use the control. This attribute
also specifies the type of license validation that occurs.
The component is encapsulated in a signed .NET
assembly,
means for creating a second secure
control set at a second location;
The second location is the .NET application
developer's site where a .NET application comprising
one or more assemblies is created.
The second secure control set comprises the
declarative statement(s) (including licensing
statements, and code access security statements) of a
signed .NET assembly using or calling the first .NET
component. The control set can include a set of
security permissions demanded by the .NET assembly
containing the licensed component, whereby the
permissions are demanded of components that call the
application components. The control set can also be
extended by controls expressed as conditional syntax
statements in a signed .msi file containing a click
through end^user license (the end-user license
scenario).
means for securely communicating said
first secure control set from said first
location to said second location; and
The first .NET control set is securely communicated
from the first location developer to the .NET solution
provider by either being contained in a signed
assembly, within a signed cabinet file or within a
signed .msi file.
means at said second location for
securely integrating said first and
second control sets to produce at least a
third control set comprising plural
elements together comprising an
electronic value chain extended
agreement.
At the second location, the solution developer uses the
.NET runtime that includes the LicenseManager.
Whenever a class (control or component) is
instantiated (here, an instance of the first .NET
licensed component), the license manager accesses the
proper validation mechanism for the control or
component. A value chain is created through the
creaiion of a run-time license for use of the first .NET
component in the context of use of the .NET
application developed at the second location. The
Exhibit Q
141 '
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
license controls for the runtime license (derived from
the design time license) are bound into the header of
the .NET application assembly, along with the second
control set.
The creation of runtime license controls is securely
handled by Visual Studio.NET or the LC tool.
Runtime licenses are embedded into (and bound to)
the executing assembly. The license control attribute
included in the first .NET component is customized in
the second location to express and require the runtime
license. In a different scenario, the LC tool is used to
create a ".licenses file" containing licenses for
multiple components, including runtime licenses for
components and classes created by the license .
provider. This .licenses file is embedded into the
assembly.
The third control set is an extended value chain
agreement that comprises the runtime license controls*
for the first .NET licensed class (that had been bound
to the assembly), the declarative controls provided by
the solution provider in the solution provider's
assembly, and any runtime licenses for other
components included by the solution provider in the
solution provider's assembly, and any end user license
agreement provided by the application provider. The
controls are typically integrated into the header of the
.NET application assembly calling the first .NET
licensed component.
A further "end user licensing scenario" occurs when,
at the second location, the application developer
packages the application into a signed .msi file that
includes conditional syntax statement controls that
require that a user read and agree to an end user
license agreement for the application and the
embedded first component. The third control set
includes a plurality of elements that include the run-
time licenses mentioned above, security permissions
controls, EULA controls (a fourth control set), all
securely bound into the signed .msi file.
11. A system as in claim 2 in which said
first location and said second location are
contained within a Virtual Distribution
Environment.
The Microsoft .NET Framework provides a
Virtual Distribution Environment. Here the
nodes are the Common Language Runtime
instances that interpret the controls
contained within .NET assemblies (among
other functions).
29. A system as in claim 2 in which said
first secure control set includes required
The licensing control in the first control set
specifies the method required to validate
Exhibit Bii
142
1
1
•
•
terms.
the license.
2
J
32. A system as in claim 2 in which said
second secure control set includes required
terms.
The security permissions demanded (as
described above) are required terms for
execution of the application code elements.
4
5
6
7
0
o
60. A system as in claim 2 inwhich said
means for securely integrating said first arid
second control sets includes a fourth
control set.
In the scenario where the application
assembly is distributed using a signed .msi
file, the secure integration of the first and
second control sets is enhanced by the
tamper protection afforded by the signed
.msi file. In the end user license scenario, a
fourth control set consisting of conditional
syntax statements is included in the .msi
file/
9
10
11
130. A system as in claim 2 further
including means for executing said third
control set within a protected processing
environment.
The third control set is executed under the
auspices of the CLR
12
13
132. A system as in claim 130 in which
said protected processing environment is
located at a location other than said second
location.
The third control set is executed at an end-
user site within the CLR.
14
15
16
17
1 61 . A system as in claim 2 in which said
third control set includes controls
containing human-language terms
corresponding to at least certain of the
machine-executable controls contained in
said third control set.
In the end user license scenario, the third
control set includes a fourth control set that
requires that the human user agree with
license terms displayed to the user. These
human readable terms are referenced in the
conditional syntax statement controls
contained in the signed .msi file.
18
19
1 62. A method as in claim 1 61 in which
said human-language terms are contained
in one or more data descriptor data
structures.
The .msi file is a data descriptor data
structure.
20
21
22
1 70. A system as in claim 2 in which said
means for creating a first secure control set
includes a protected processing
environment.
The creation of the first licensed
component, including its licensed controls
is carried out under the auspices of the
CLR.
23
24
171. A system as in claim 2 in which said
means for creating a second secure control
set includes a protected processing
environment.
The application design time environment
and the creation of the .NET application is
carried out under the auspices of the CLR.
25
26
27
1 72. A system as in claim 2 in which said
means at said second location for securely
integrating includes a protected processing
environment.
The means for integrating the runtime
license with the application controls is
carried out under the auspices of the CLR.
28
329. A system as in claim 2 in which said
VS.NET runs under Windows.
ti
;i
1!
■,: ..Exhibit! B
143 :
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• •
means tor creating a first secure control set
includes an operating system based on or
compatible with Microsoft Windows.
330. A system as in claim 2 in which said
means for creating a second secure control
set includes an operating system based on
or comoatible with Microsoft Windows
VS.NET runs under Windows.
331. A system as in claim 2 in which said
means at said second location for securely
integrating said first and second control
sets includes an operating system based on
or compatible with Microsoft Windows
VS.NET runs under Windows,
346. A svstem as in claim 9 fiirthpr
comprising means by which said third
control set governs the execution of at least .
one load module.
The third control set in the scenario
described in the claim map for claim 2
governs a portable .NET executable
designed to be loaded into the CLR '
environment fa CLR hostV
347. A system as in claim 2 farther
comprising means by which said third
control set governs the execution of at least
one method.
The third control set in the scenario
described in the claim map for claim 2
governs a .NET executable. This
executable contains one or more methods
349. A system as in claim 2 further
comprising means by which said third
control set governs the execution of at least
one procedure.
The third control set in the scenario
described in the claim map for claim 2
governs a .NET executable. This
executable contains one or more
procedures.
293482.02
Exhibit B \\
144
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
• •
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,112,181
A .v : - • CLAIM LANGUAGE ; v ?
48. ■ • ' '• * .
Infringing products include Microsoft SMS
(Systems Management Server) 2.0 and
subsequent versions. •
A method for narrowcasting selected
digital information to specified
recipients, including:
a) at a receiving appliance, receiving
selected digital information from a
sending appliance remote from the
receiving appliance,
The receiving appliance is the client (e.g., eiid
user computer in an Enterprise setting)
receiving digital information (packages and/or
advertisement files) from the sending
appliance, the centralized SMS database via a
Client Access Point and/or Distribution Point .
set up on a server.
the receiving appliance having a
secure node and being associated
with a specified recipient;
The "node" is "secure" as a result of SMS
security, as well as how it identifies and selects
clients.
The "specified recipient" is the result of the
collection identifying a specific client that
meets the criteria for a package or
advertisement.
i) the digital information having
been selected at least in part based on
the digital information's membership in
a first class, wherein the first class
membership was determined at least in
part using rights management
information; and
The digital information is a software package .
or advertisement. The "first class membership
was determined in part using rights
management information" reads on creating
software packages (or advertisements) based
on attributes of the software.
ii) the specified recipient having
been selected at least in part based on
membership in a second class, wherein
the second class membership was
determined at least in part on the basis
of information derived from the
specified recipient's creation, use of, or
interaction with rights management
information; and
The "specified recipient" is the client selected
to receive a package or advertisement. That
recipient is chosen based on a collection rule,
or on the recipient's possession of a license.
b) the specified recipient using the
receiving appliance to access the
received selected digital information in
accordance with rules and controls,
associated with the selected digital
information.
The receiving appliance is the client computer.
The SMS agents on the client computer
receive, evaluate and take the appropriate
action based on rules and controls governing
the package and/or advertisement (i.e. the
selected digital information).
the rules and controls beine enforced
Rules arid controls are enforced bv Aeents on
H
ii
Exhibit B
145
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
by the receiving appliance secure node.
the client (the secure node)
59. The method of claim 48 wherein
said received selected digital
information is at least in part event
information. "•
Event information includes SMS event
information, including Scheduling Classes
63. The method of claim 48 wherein
said received selected digital
information is at least in part executable
software.
All SMS packages must include a minimum of
one program.
70. The method of claim 48 wherein
said rules and controls at least in part
govern usage audit record creation.
A control governs whether a MIF
(management information file) is sent back to
the SMS db after installation is done to report
on the success or failure of the installation.
89. The method of claim 48 wherein
said receiving appliance is a personal
computer.
The primary purpose of SMS is to manage
software on personal computers throughout the
Enterprise. ;
Exhibit B !!
146 '
1
2
3
.4
5
6
7
8
■9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
293482.02
• •
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,112,181
48.
Infringing products include Windows'
Media Player and Windows Media Rights
Manager . ...
A method for narrowcasting selected
digital information to specified recipients,
including:
This claim pertains to Windows Media
Player with Individualized DRM Client and
Windows Media Rights Manager used in
the context of a narrowcast pay-per-view
(hear) media distribution service.,'
simulcast and/or subscription services.
(a) at a receiving appliance, receiving
selected digital information from a sending
appliance remote from the receiving
appliance, the receiving appliance having a
secure node and being associated with a
specified recipient
Receiving appliance is a user's PC with
individualized DRM client (secure node).
Specified recipient is a user using the
specific individualized DRM client to
access and render narrowcast pay-per-view
media, simulcast and/or subscription
services for which the user acquires a
license.
(i) the digital information having been
selected at least in part based on the digital
information's membership in a first class,
wherein the first class membership was
determined at least in part using rights
management information; and
The digital information is media that is
narrowcast to licensed recipients. These
narrowcast streams are licensed to users
who have acquired licenses and whose PCs
(appliances) support WMPs that have
individualized DRM clients. This attribute
is included in the signed WMA file header
and is used in the process of acquiring
licenses for access to the media. Media that
are licensed to the recipient have their
licenses bound to the recipient's
Individualization module.
(ii) the specified recipient having been
selected at least in part based on
membership in a second class, wherein the
second class membership was determined
at least in part on the basis of information
derived from the specified recipient's
creation, use of, or interaction with rights
management information; and
The recipient is selected for this content
based on the fact that the recipient is a
member of the class of recipients who have
a license for the narrowcast media and
whose devices support WMP and
individualized DRM clients. The
recipient's machine must indicate support
for individualization in challenges that are
sent as part of requests for media in this
narrowcast class.
(b) the specified recipient using the
receiving appliance to access the received
selected digital information in accordance
with rules and controls, associated with the
selected digital information, the rules and
controls being enforced by the receiving
appliance secure node.
Recipient's machine uses WMP and the
individualized DRM client to access the
narrowcast media in accordance with all
rules associated with the media and
contained in the media license - in
particular, requirements that
individualization be supported.
Exhibit Bii
147 •:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
61. The method of claim 48 wherein said
received selected digital information is at
least in part entertainment information.
The digital information is Windows Media,
which encodes audio/visual entertainment
content.
62/ The method of claim 61 wherein said
entertainment information is at least in part
music information.
Reads. on narrowcast Windows Media Files
that are music or audio/visual.
67. The method of claim 48 wherein said
rules and controls at least in part use digital
certificate information.
The license contains a digital certificate.
The DRM client uses the certificate in the
license to verify this signature and to verify
that the header has not been tampered with.
72. The method of claim 4 8. wherein said
rules and controls in part specifying at least
one clearinghouse acceptable to
rightsholders. :
The signed header contains at least .one
URL that indicates to the Windows Media
Rights Manager the license clearinghouse
to be used in acquiring licenses.
75. The method of claim 72 wherein said at
least one acceptable clearinghouse is a
r ights and permissions clearinghouse.
This clearinghouse is a license
clearinghouse responsible for mapping
rights and permissions onto requested
content or narrowcasts and binding them to
the requesting client environment or user of
this environment.
59. The method of claim 48 wherein said
eceiving appliance is a personal computer.
Windows Media Player and the
Individualized DRM client run on a
personal computer.
.-■•ir
..Exhibit Bi
148 ;
•
•
1
1
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
2
3
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,112,181
4.
91
Infringing products include Windows
Media Player and Windows Media Rights.
Manager
5
6
7
8
9
A method for securely narrowcasting
selected digital information to specified .
recipients including:
This claim pertains to Windows Media
Player with Individualized.DRM Client and
Windows Media Rights Manager used in
the context of a narrowcast simulcast, pay-
per-view (hear) media distribution service,
and/or subscription services. The content
is delivered in a Protected Windows Media
File.
10
11
12
(a) receiving selected digital information in
a secure container at a receiving appliance
remote from a sending appliance, the
receiving appliance having a secure node,
the receiving appliance being associated
with a receiving entitv
Narrowcast content is received in a
Protected Windows Media File. Receiving
appliance is user's PC with individualized
DRM client (secure node).
13
14
(i) the digital information having
been selected at least in part based
on the digital information's
membership in a first class,
The digital information is media that is
narrowcast to licensed recipients (for
example, a sold-out concert is narrowcast
on the Internet to "the class of licensed (or
ticketed) viewers).
15
16
17
18
19
(ii) the first class membership
having been determined at least in
part using rights management
information
These narrowcast streams are licensed to
users who have acquired licenses and
whose PCs (appliances) support WMPs
that have individualized DRM clients. This
attribute is included in the signed WMA
file header and is used in the process of
acquiring licenses for access to the media.
Media that are licensed to the recipient
have their licenses bound to the recipient's
individualization module.
20
21
(b) the receiving entity having been
selected at least in part based on said
receiving entity's membership in a second
class.
The recipient is selected for this content
based on the fact that the recipient is a
member of the class of recipients who has a
license for the narrowcast media.
22
23
24
25
(i) the second class membership
having been determined at least in
part on the basis of information
derived from the recipient entity's
creation, use of, or interaction with
rights management information
The recipient class is determined by the
license bound to the user's device that
supports WMP and individualized DRM
clients. The recipient's machine must
indicate support for individualization in
challenges that are sent as part of requests
for media in this narrowcast class.
26
(c) receiving at the receiving appliance
rules and controls in a secure container.
Receives a protected Windows Media File
27
(i) the rules and controls having
been associated with the selected
digital information; and
Receives a license that is bound to the file
as well as to the specific DRM client
individualization information.
28
(d) using at the receiving appliance the
selected digital information in accordance
Recipient's machine uses WMP and the
individualized DRM client to access the
;i
• \\
.Exhibit B
149'
with the rules and controls,
(i) the rules and controls being
enforced by the receiving appliance
secure node.
narrowcast media in accordance with all
rules associated with the media and
contained in the media license - in
particular, requirements that
individualization be supported.
The WMP and DRM client enforce the '
rules embedded in the Protected Windows
Media File License. '_■
104. The method of claim 91 wherein said
received selected digital information
includes entertainment information.
The digital information is Windows Media,
which encodes audio/visual entertainment
content.
10
11
12
13
14
15
16
17
18
109. The method of claim 91 wherein said
I rules and controls at least in part use digital
certificate information.
114. The method of claim 91 wherein said
I rules and controls specify at least one
clearinghouse acceptable to rightsholders.
117. The method of claim 1 14 wherein said
I at least one acceptable clearinghouse is a
rights and permissions clearinghouse.
The license contains a digital certificate.
The DRM client uses the certificate in the
license to verify this signature and to verify
that the header has not been tampered with.
The signed header contains at least orie
URL that indicates to the Windows Media
Rights Manager the license clearinghouse
to be used in acquiring licenses.
This clearinghouse is a license
clearinghouse responsible for mapping
rights and permissions onto requested
content or narrowcasts and binding them to
the requesting client environment or user of
this environment.
131. The method of claim 91 wherein said
receiving appliance is a personal computer.
Windows Media Player and the
individualized DRM client run on a
personal computer. __
19
20
21
22
23
24
25
26
27
28
293482.02
ExhibitB i|
150 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
INTERTRUST TECHNOLOGIES CORP. v. MICROSOFT CORP.
INTERTRUST INFRINGEMENT CHART
FOR U.S. PATENT NO. 6,389,402
Products infringing: Microsoft Visual Studio
.NET, .NET License Cpmpiler, .NET
Framework SDK, and .NET Common
Language Runtime
A method including
A method for producing a third .NET
component (application) that incorporates first
and second .NET component whose
distribution is license controlled.
creating a first secure container including a
first governed item and having associated a
first control;
The first secure container is a first signed
.NET component that includes a license
control. The governed item is the .NET
component.
The first control is the set of declarative
statements comprising the
LicenseProviderAttribute of a first .NET
licensed component that provides for a design-
time license to use the control. This attribute
also specifies the type of license validation that
occurs.
;reating a second secure container including a
second governed item and having associated a
second control;
The second secure container is the second
signed .NET component that includes a license
control. The governed item is the .NET
component.
The second control is the set of declarative
statements comprising the
LicenseProviderAttribute of a second .NET
licensed component that provides for a design-
time license to use the control. This attribute
also specifies the type of license validation that
occurs.
ransferring the first secure container from a
irst location to a second location;
The creator distributes a signed and licensed
.NET. component.
An application developer at a second location
downloads a first .NET component for
inclusion into an application.
ransferring the second secure container from a
hird location to the second location;
A creator distributes a signed and licensed
.NET component from a different location.
Application developer downloads a second
.NET component for inclusion into an
application.
Exhibit B
151
•
•
at the second location, obtaining access to at
least a portion of the first governed item, the.
access being governed at least in part by the
first control;
At the second location, the application
developer uses the .NET runtime that includes
the LicenseManager to access a first governed
item. . ■ t
Whenever a class (control or component) is
instantiated (here, an instance of the first .NET
licensed component), the license manager
accesses the proper validation mechanism for
the control or component.
i
The first control comprises the declarative
' statement(s) (including licensing statements,
and code access security statements) of the first
.NET component.
at the second location, obtaining access to at
least a portion of the second governed item, the
access being governed at least in part by the
second control;
At the second location, the application
developer uses the .NET runtime thatincludes
the LicenseManager to access a second
governed item.
Whenever a class (control or component) is
instantiated (here, an instance of the second
.NET licensed component), the license
manager accesses the proper validation
mechanism for the control or component.
The second control comprises the declarative
statement(s) (including licensing statements,
and code access security statements) of the
second .NET component
at the second location, creating a third secure
container including at least a portion of the first
governed item and at least a portion of the
second governed item and having associated at
least one control, the creation being governed
at least in part by the first control and the
second control.
At the second location, the application
developer uses the .NET runtime that includes
the LicenseManager to access a first governed
item and second governed item to construct an
application, the third secure container.
Creation governance is accomplished by
invoking the .NET runtime to access the first
governed item and the second governed item.
Whenever a class (control or component) is
instantiated the license manager accesses the
proper validation mechanism for the control or
component.
The portions of the first governed item and
second governed item that are being included
in the third secure container will typically
include the governed items themselves, ie. the
.NET components.
The associated control in this case is the
LicenseProviderAUribute, created and inserted
into the application.
Exhibit B
152